Recovering folders on a flash drive after a virus. How to recover damaged files on a flash drive How to recover files after a worm

Recovering hidden files after a virus is a common problem that PC users have to face. Recently, many people have been suffering from malware, due to which all files and folders on the hard drive are lost, including personal content like documents, images, etc. Malware can also hide all shortcuts in the Start menu. The virus does not delete data, but adds a hidden attribute to all files and folders on your system, and as a result, it appears as if all data has been deleted from the hard drive.

If you need to perform file recovery after a virus, you can use the instructions below to redisplay all the data that was missing and regain control of your computer. In case the operating system is still infected with malware, you need to use antivirus software. Once the viruses are removed, you can begin to take steps to display the files and folders that have disappeared. To display missing files, you need to change your Windows system settings.

How to show hidden files

If you are running Windows XP, you can recover lost data by doing the following:

open My Computer;
select Tools;
click on Folder Options;
select the View tab;
check the box next to the Show Hidden Files and Folders option;
Click OK to return missing data from your hard drive or flash drives.

To recover data that was lost on Windows Vista, you need to follow these steps:

press the Start button;
select Computer;
click on Tools;
select Folder Options;
use the View button;
select the Show Hidden Files and Folders option;
click OK.

If you are interested in how to recover hidden files on Windows 7, you need to follow these steps:

press the Start button;
select Computer;
click Organize;
use the Folder and Search Options button;
select View;
activate the Show Hidden Files and Folders option;
click OK.

After completing the above steps, you will be able to see all your files and folders for office programs and other applications, but they will still contain a hidden set of attributes. If you delete unnecessary parameters for files on a flash drive or hard drive, then all of them will be displayed in normal mode.

How to remove hidden attributes

If you are using the Windows XP operating system, you need to perform the following steps:

Click Start and Run.
Type cmd and press Enter.
In the command line, type CD\ and confirm with the Enter key.
Type ATTRIB -H *.* /S /D and press Enter. This command will display files that have become invisible. Since important system files have the corresponding attribute attached, the above command will not affect them. System settings let them through and hide them from prying eyes, so your most important content won't be lost. The command will take some time to complete, so don't worry if the process takes a few minutes or even half an hour. The command will perform simple actions - it will remove hidden attributes from all directories on the hard drive and folders on the flash drive after the virus. The /S parameter means that the current folder and all its subdirectories will be searched. The /D option processes all other folders.

For Windows Vista or 7 you need to do the following:

Click Start and All Programs.
Select Accessories and Find Command Prompt.
Right-click on the Command Prompt option and select Run as Administrator.
At the command line, type CD\ and press Enter.
The command line should now indicate the root folder of the hard drive (probably C:\).
Type ATTRIB -H *.* /S /D and press Enter.
Type Exit and press Enter when the procedure is complete. To restart a computer.

An alternative is to use the Unhide app created by Bleeping Computer. This is a program for recovering hidden files from flash drives and hard drives. On the official website of this developer there is a whole tutorial on using unhide.exe to delete deleted data after a virus invasion. With its help, users received the necessary information and successfully restored their PCs. You can download this application for hidden folders and files on your desktop and run it so that the above steps to remove attributes from a flash drive after a virus will be performed automatically by the system.

Fix problems with shortcuts on the taskbar and Start menu

To display shortcuts on the taskbar and in the Start menu after a virus attack, you need to do the following:

Open Computer.
Go to Drive C, Users, Your User Name, AppData, Local, Temp, SNTMP or SMTMP.
Open the directory with the number 1.
Select Edit, Select All and Copy.
Leave the directory open and go to My Computer again.
Select Drive C, Program Data, Microsoft, Windows, Start Menu.
Click Edit and Paste to copy the Programs folder and other shortcuts to the appropriate location.
Open the directory with the number 3.
Select all files and copy them.
Go to Drive C, Users, Username, AppData, Roaming, Microsoft, Internet Explorer, Quick Launch, User Pinned, Taskbar and paste files.

After completing the above steps, all shortcuts should return to their places.

Following the forum topic, folders disappeared from the flash drive. This note contains recommendations found in it. Situation description: Folders on a storage medium no longer appear as if they had been deleted. However, the amount of space they occupy remains unchanged, i.e. the space is still occupied by the disappeared folders and the files in them. Most likely this indicates that the information was not deleted, but that the folders simply became invisible. This happens as a result of the actions of some viruses. Below I list ways to make folders visible again:

Enable showing hidden files and folders in Explorer

The simplest case is when the “hidden” and “system” attributes are set for folders, and Windows is configured in such a way as not to show hidden files and folders. It is enough to enable the display of such data and remove the attributes as described in the article: displaying hidden files and folders.

Remove attributes using the command line

Another way to make data visible is using the command line.

1) Open the command line: Start -> Run -> enter: cmd -> click “OK”;

2) In the black command line window, enter:

(where X is the drive letter or flash drive)

3) Select and copy the line below:

Attrib - s - h - r - a /s /d *.*

4) Right-click on the black command line window and press Enter.

Wait until the utility replaces the attributes of all files. After this, the files and folders will become visible.

File manager Total Commander

First you need to enable the display of hidden ones. To do this, go to the “Configuration” menu, then “Panel Contents”, check the box for “Show hidden system files”.

Open the flash drive, select the directories with an exclamation mark and remove the attributes: go to the “File” menu, then “Change attributes”. Remove the attributes and click “OK”.

File Manager Far Manager

You can also use the Far Manager file manager, which by default shows any hidden and system folders, and also allows you to remove unnecessary attributes. Download it, install and run. Further:

1) Open the flash drive in Far Manager: press the combination “Alt-F1 ; (left panel) or “Alt-F2 ; (right panel), then select the letter of the required media from the list.

2) Using the “Insert” key, select the hidden folders, press “Ctrl-A”, remove all unnecessary checkmarks from the “Read only” and “System” items, leave only “Archive”, and confirm with the “Set” button.

Here you can clean the RECYCLER folder, delete shortcuts (.lnk), unnecessary executable files (.exe), and, of course, the autorun file. inf, if present.

After these steps, the data on the flash drive will be displayed in normal form.

Some viruses go further - they rename or move folders to the E2E2-1 directory, which is not visible in Windows Explorer. This is only relevant if the media file system is FAT32; this problem does not exist in NTFS. To find out what file system is on the flash drive, open “My Computer,” right-click on the flash drive, and select “Properties” from the drop-down menu. In the window that opens, look at the “File system” line.

For example, if your flash drive is connected as drive “E”, then go to:

Start -> Run -> cmd -> OK

In the black window that opens, you must enter the commands one by one, confirming each with the Enter key:

The first command makes drive E active. If the letter of the carrier is different, instead of E before the colon, indicate your letter.

The second command displays a list of folders and files on the media. If E2E2~1 is listed, run the command which will rename the folder:

3) ren E2E2~1 NewFolder

After this, the NewFolder folder will appear in Explorer. Instead of NewFolder, you can specify any other folder name if you wish.

In conclusion

That seems to be all about the restoration of missing information after the virus. Just do not forget that before the listed actions it is necessary that the virus itself be neutralized by an antivirus, otherwise the problem will recur.

We already know that there is a family of viruses that specialize in penetrating portable flash devices. , then we restored hidden folders and replaced files.

In this material we will talk about another type of virus that more seriously hides your data, in particular folders. The virus does not change the directory attributes, but renames the folder with prohibited characters, which makes the directory invisible to the system...

If you also find yourself in a similar situation, then it may well be that the Trojan.Radmin.13 virus (according to the classification) worked on the contents of your flash drive, which packed your folders and files into a folder invisible to the operating system with an original name consisting of two dots - " .. " In other words, the virus packed your data into a folder with a name consisting of characters that are prohibited in Windows.

How to recover missing folders on flash drives?

First, let’s clarify right away that not in all cases the folder can exist in this form; it is possible that the virus could delete the contents of the flash drive completely. In our case, folders can be restored, and this is evidenced by the displayed amount of occupied memory on the device.

Now in order:

Log in to the command line console. To do this, open the “Run” window using the keyboard shortcut Win + R
Type in the line – CMD and press Enter
In the command prompt window that appears, enter:
The letter of your flash drive, as it appears on the computer, and a colon, for example, F:
Next, enter the command there:
dir /x /ad
- dir – a command that displays all files and folders with subdirectories
- / x – parameter that displays short names for files whose names do not comply with the 8.3 standard
- /ad- an option that displays only a list of folders
After running the command, you should have a folder called “E2E2~1", which indicates that it is thanks to the virus that your folders are invisible!
type the following command:
ren E2E2~1 NEWF
- ren (rename) - a command that allows you to rename both files and directories
- E2E2~1 - source directory
- NEWF - final directory
We start execution with the Enter key and close the command line window.
Now all that remains is to check the result of the changes by opening the flash drive through Explorer or any other file manager.

Instead of an afterword

In most cases, such manipulations help solve the problem with missing folders on a flash drive. But as I mentioned above, viruses never repeat their actions, so it is not a fact that this particular algorithm of actions will help you.

People often ask me questions: files on the flash drive have disappeared, files on the flash drive have become invisible, or where did the files from the flash drive go? This cannot just happen, it is definitely the work of a virus on your computer or laptop. But now we won’t consider the issue of checking your computer for viruses; we need to access the files on the flash drive. Because Most often, you find out about your flash drive being infected on someone else’s computer, and you don’t often have to drag yourself back to the other end of town.

So, let's get started: First, we need to see the files. To do this, we must enable the display of hidden files and folders in the system where the flash drive is mounted. Let's go Start-Control Panel-Folder Options-tab View, scroll the list to the very end and in the group Hidden files and folders put the switch in position Show hidden files, folders and drives. More often than not, the virus declares its own and infected files as system files in order to complicate their removal, so it would be a good idea to uncheck the box located just above Hide protected system files (recommended), then click Apply And OK

Now we see absolutely all files on all media, both hidden and system. Now at least we can do something with them and work with them.

But our files are still invisible, and if we connect this flash drive to a computer that is configured by default, we will have to do everything described above again. This is of course not convenient, so we make the files on the flash drive visible. Now let's figure out why our files on the flash drive became invisible? Because the virus has assigned the attribute to all files and folders Hidden. Unfortunately, after the actions of the virus, it is not possible to simply uncheck the box in the file properties.

We need to change the attributes using the command line by typing in the command: go Start—Execute and dial cmd, press Enter or Start-Applications-Command Prompt

A black window will appear, in it we write the command: cd /d e:/ press Enter ( e- this is the letter of the flash drive, you may have a different one depending on the number of disks in the system) with this command we go to the root directory of the infected drive.

ATTENTION! The following command must be executed specifically for the selected media; if you run this command anywhere, then hidden files and folders will become visible anywhere, but we don’t need this.

We now have at the beginning of the line e:\> type the following command on this line attrib -s -h /d /s and press Enter. We wait a little and see that on our flash drive all the translucent folders have appeared.

If there are a lot of such flash drives or disks, then you can automate the process a little by writing it yourself or downloading from here.bat file with this team. The file name can be anything, for example, proyavitel.bat.

This file must be copied to the root and launched from exactly the drive that we want to display. Otherwise, as described above, we may accidentally make visible all the files on a drive that does not need it, for example, on the system drive.

A new type of virus has appeared on the Internet that infects flash drives and external drives. I first encountered a similar virus about six months ago, when one of my clients had a similar virus hide all folders on flash drives and create shortcuts in their place. Since this was an isolated incident, I thought there was no need to worry and describe this problem. But very soon there were calls for help “help me recover data from a flash drive” and this virus turned out to be the cause of it all!

If you notice that folders on the flash drive have become shortcuts

Let's assume that you notice that when opening folders on flash drives, a system error occurs and only then does the folder open. See if the folders have a shortcut icon - it's a small arrow on the folder icon in the lower left corner.

If there are many or even all of these shortcut folders, then the system is probably infected with a virus, and your flash drive serves as its distributor.

Cleaning a flash drive from viruses

1. To search for and remove such a virus, I recommend using several antiviruses: first, do a full scan of your computer with the installed antivirus. In my case it is Avast (see Fig. 2). Scan the system drive C: and removable media, i.e. inserted flash drive.

If viruses are found, remove them. Of course, infected files from the Windows system folder must be handled carefully: treat it first or place it in quarantine. All others can be safely deleted.

2. Regardless of whether a virus was found or not, check the system with any other anti-virus utility. I recommend using CureIt. (http://www.freedrweb.com/download+cureit+free/).

Scan your system drive C and flash drive with this utility. Other logical drives can be scanned another time, otherwise removing a simple virus may take a long time.

3. After the system has been analyzed by several anti-virus programs and something may or may not have been found, it’s time to move on to restoring hidden folders on the flash drive, and at the same time clean the flash drive of viruses that might have been missed by anti-virus scanners.

How to show hidden files and folders on a flash drive

I’ll tell you in two words what’s going on here and why folders become hidden and invisible, and shortcuts take their place.

The logic of such a virus is simple, but at the same time extraordinary. Once on the flash drive through an infected computer, it registers itself in the hidden RECYCLER folder, which it hides using the “Hide” system attribute. It places an instance of malicious code (virus) under any name. This is how he camouflages himself. The virus assigns the “hidden and system” attribute to all files and folders that are on the flash drive, as a result of which they become invisible, i.e. hidden.

Then, the virus creates shortcuts to all hidden files and folders and makes them visible, substituting them instead of the originals. Not a bad idea, right?

As soon as you insert such an infected flash drive into your computer, open it and click on the shortcut folder, the system command will trigger to launch the virus from the RECYCLER folder, and then to open the hidden original folder. If the antivirus does not respond to the virus, your computer will be infected and the consequences can be different: from stealing passwords to installing a backdoor to control your computer.

There are several options for how to remove a virus from a flash drive and make hidden files visible:

Using the command line
Using a bootable Live DVD (or bootable USB flash drive)
Using file managers (Total Commander, Far, etc.)

Personally, I use a boot disk and a flash drive in my work. But since this method requires a special disk or a special flash drive that needs to be mounted, it is a bit difficult for the average user.

Therefore, I will show you another easier way - using the Total Commander file manager.

Restoring the previous appearance of folders on a flash drive

1. Go to the website http://www.ghisler.com/850_b15.php and download the 32+64-bit version of the program (Combined installer Windows 95 up to Windows 8, 32-bit AND 64-bit!).

2. Install it. Even if you already have a similar program installed, update it. Its icon will appear on the desktop (in some cases as many as two).

3. Open the program by clicking on its icon. In the program window, click on the start button at the desired number (1, 2 or 3). This small inconvenience allows us to use this program for free.

4. In the left window of the program, select your flash drive from the drop-down list.

5. At first glance, everything is in order with the flash drive, the folders are in place, the files are just missing, but it only seems so. If you look carefully, you will notice that folders are shortcuts because they have the extension .Ink, but in fact folders do not have an extension.

Open the section In the settings window, select the Panel Contents section and on the right side, check the boxes next to the following parameters:

Show system files

Now the picture has changed. Hidden system files were displayed (they may not even be system files, because they were simply given such an attribute).

6. Delete all shortcut folders with the Ink extension. To do this, hold down the CTRL key and select the desired files with the mouse. Press the DELETE key on your keyboard. Agree to deletion.

7. It remains to restore the previous appearance of the folders. To do this, it is enough to remove the “hidden, system, etc.” attributes from them. This cannot be done using the standard tools of the Windows XP, 7 or 8 operating system, but with the help of the Total Commander file manager it is easy.

Point (one-time click on the file with the left mouse button) to any file and select all folders and files using the keyboard shortcut CTRL+A.

Open the section. Remove all points opposite the values:

Archival
Only for reading
Hidden
System

And click on the OK button. Now the files on the flash drive can be viewed using a simple Explorer.

8. One more small detail. All that remains is to delete the RECYCLER folder, which may contain the virus. Select the RECYCLER folder using the right mouse button and press the DELETE button on your keyboard. Agree to delete all files in this folder. If, when deleting, a warning appears that the file cannot be deleted so easily, then select the “with administrator rights” button.

That's all! The virus will be removed and the files will be safely restored.

At the end of this review, I want to warn you in advance, if you suddenly notice that files have disappeared on the flash drive or, as in this example, shortcuts have appeared instead of folders and files, DO NOT HURRY TO FORMAT your flash drive! Try using this method to return everything to its place.

It might be useful to read: