How I can recover files when the folder shows empty but the files are not deleted?

Question

Yesterday, my laptop caught a virus which caused massive damage. Since them, I have been trying to recover important files before reformatting my computer, a task the virus has not made easy.

• Restoration points predating the attack have been deleted.
• Most of my folders show empty.
• My Start menu is essentially empty, with the exception of Trillian and Mirror's Edge. The same goes for my Desktop, which only has programs which were installed after the attack.
• Searching for files through my computer is pretty much useless, as it only rarely brings up anything.
• I suspect most of my files have not been deleted. While my folders show empty, uTorrent still does display them and I can open them from here. Unfortunately, when I select Open Containing Folder, the folder still shows as completely empty even if I'm currently watching a video from that very folder.
• Further adding evidence to the not-deleted-just-missing theory, the data recovery software I'm using (Restoration) cannot find only find an handful of the missing files.

If they were deleted, I could do a forensic recovery to get them back but since they're probably still somewhere on my computer, just out out of my reach, I can't find them.

Under those circumstances, is there a way I can recover those files?

Answer 1

Some malware will set certain file attributes to hide your files. It could be in order to pretend they're the files themselves, or could be just to cause distress. The files could be affected with the Hidden attribute (you can see them with the "show hidden files" in folder options, and unset them in the properties sheet) or the System attribute (makes them hidden unless "show protected system files" is checked in folder options).

How to get rid of the attributes

The easiest way is to remove the attribute from all files in the system. This does not affect normal Windows operation, but might make visible files that you really shouldn't be touching, such as pagefile.sys or boot.ini.

• Open an elevated command prompt (Start->Programs->Accessories->Command Prompt, right click, "Run as Administrator"). If you don't have UAC enabled, just run a regular cmd as an administrator user.
• Run attrib -H -R -S C:\* /S /D. Replace C:\* with the drive letter you want to fix. -H unsets the Hidden attribute; -R unsets the Read-only attribute (which some malware also set); -S unsets the System attribute. /S makes it recursive, /D makes it apply to folders as well.
• Remember that when specifying an entire drive, you must put the \ after the :, otherwise MS-DOS quirks kick in and it doesn't actually apply to the entire drive. The attrib command also doesn't seem to like to work in the root folder directly, so the * is needed, but not when working on any other folder.

The less nuclear option is to give a more specific path to the attrib command, such as attrib -H -R -S "C:\path to\folder" /S /D.

In case of 'attrib' is not recognized as a...

It's possible that your %PATH% environment variable is messed up. You can try giving the full path to attrib by calling it as %windir%\system32\attrib. If this still doesn't work, then even the %windir% variable got messed up; just replace it with the path to your windows installation directory, almost always C:\Windows. In the worst case that the tool is not available at all, you need to do a repair install of Windows.

Answer 2

Try Recuva. Download the portable version using another computer and run it from a USB drive. These guys also make everyone's favorite: CCleaner.

Answer 3

My USB drive and folders were affected by a virus, and I couldn't retrieve my data. The drive's file size was showing as 653MB. I recovered all my data with the help of a PowerISO virtual drive.

Just select the drive or folder that you want to recover (the drive/folder may seem empty, but it still contains data) and make an image file. Open that image file with the same software and copy the files that you want from the image file.

Answer 4

You can use regular data recovery tools to retrieve both deleted and present files. One such tool I know of and have positive experience with is Zero Assumption Recovery. As far as I remember, even in its trial version the tool will display a tree of recoverable files, so it won't hurt to go for a trial run.

Answer 5

I experienced something like that it might help you.

My USB stick was infected so when I plugged it in my antivirus spotted lots of viruses and as soon as this happened the folder (G:) appeared to be empty. But when I clicked properties from MyComputer there seemed to be 10GB of data in it.

So I traced the viruses from my antivirus to their location and observed that all my folders were hidden inside "G:\ \". So there was a hidden folder named "space" and the virus put all my stuff into that folder.

So why did it appear to be empty back then?

I changed folder properties to make system files/folders appear and here it was, a harddisc icon with "space" name which was somehow attributed as important system file to be hidden in plain sight.