Virus hides files, shrinks total capacity

Question

A virus infected my hard drive.

The drive's capacity is 1 TB and has different type of files on it, 400 GB+ in total. Suddenly all the files disappear, and I tried to show hidden files, but it only shows the autorun and a shortcut (probably virus). Its total capacity became 500 GB from 1 TB and the space occupied is 1 GB-, so I'm pretty confident that my files are hidden somewhere.

Just to be clear:

Before: 400 GB+ (space occupied) / 900 GB+ (total space)

Now: 800 MB+ (space occupied) / 563 GB (total space)

Screen shot:

Answer 1

I do not know how to recover the disk to former state, that is, to recover the directory structure of the dive without transfering the data to another disk and then retransfering it to the drive. But I can tell you how to see the files in the drive that are hidden(by viruses).
Open the drive, type *.* into the search field, this will show all the files and folders in that drive. I think this will do the trick because this happens to me often with virus infected drives and I find the files in it by this way.
Note: I am not sure whether this will work or not in your case because there is also a problem of reduced capacity with the drive.

Answer 2

Use a disk space management tool to find out which folders occupy most or an unusual amount of your disk space. Make sure to run them "As Administrator" so that these tools are able to see the whole content of your disk.

There are two features of my tool TreeSize Professional (fully functional 30 day trial available without registration) which might help in this situation:

• You can compare a previous state with a current state
• When run "as administrator" TreeSize will scan the Master File Table (MFT) of NTFS drives which makes it more difficult for malicious files to hide.

Answer 3

Your files have been most likely hidden.

There was a popular virus some time ago that changed the file attributes to "hidden" and "system" (+hs).

When both those attributes are active, you cannot unhide the file via Windows GUI. The only alternative is to use command line and use the attrib command. You can check the manual for attrib command by typing attrib -h and clicking enter.

Please launch the command line using Ctrl+R and then typing cmd and pressing Run.

Basically, from that point you have two alternatives:

• You can manually "unhide" selected files, specifying the path and filenames to the command. This may take really long time.

• You can "unhide" whole E: drive at once using attrib -h -s E:\* /s /d. This command removes all "hidden" and "system" flags from your files, thus restoring them to life.

If the E: drive is not the system drive (ie. the drive that contains Windows), the second option will be a perfectly safe operation.

Answer 4

Disk Management shows disk 0 as 931.5 GB, but E: has only 564 GB.

This could have been caused by a weird virus, but also by a problem with the firmware of the disk.

I would suggest the following :

1. Use a disk-backup product to backup the physical disk 0, sector-by-sector. You will need 1 TB of available disk-space on another disk. Check that the size of the backup is really 1 TB before continuing.

2. Deep-scan your computer for viruses using several well-known anti-virus products. You can use an online scan instead of installing them (requires Internet Explorer or Java), for example: Bitdefender, ESET, F‑Secure. Scan only the system disk, and especially do not scan E..

3. In Disk Management, right-click disk 0 and delete the volume, then recreate a volume and partition that span the whole disk.

The above procedure is risky and can cost you the contents of the disk, and also the backup in step 1 above is not guaranteed to succeed. If you have important data on the disk and no backup, use a commercial disk recovery service (not cheap) and next time keep a backup disk.

Answer 5

There might be two steps of possible solutions:

First, find the list of hidden files in your desired drive by the following command.

Open a command prompt and change the directory to the root of your drive. Then run:

dir /s /a:h C:*.* > test.txt

Explanation:

dir: directory

s: show

This will list all your hidden files in your drive and listed at test.text.

Now open the files through copy pasting the directory in your explorer.

The second possible solution would be opening the recycler:

• Navigate to your drive.

• Click on Organize --> Folder Options

• Navigate to view

• Choose Show hidden files and folders and also uncheck the Hide protected operating system files

• Click Apply and OK

Now you will find a drive with a folder named $recycle.bin. Open it and view for your hidden files.

Answer 6

There is a big difference between 400GB and 800MB. It's my understanding that all files, not matter the attribute, are accounted for in the disk space chart, which means your hard drive has had the data erased. Have you tried using a recovery tool such as Recuva to recover the files? If you want to try it, make sure nothing is written to the drive, and if recovery is possible make sure that you opt to recover to a drive other than the one you are recovering files fro.

Answer 7

Command prompt

attrib -h -r -s /s /d H:\\*.\*

Replace the H in H:\\*.\* with your drive letter)

I didn't know this existed until now.

Answer 8

Try using cmd. Go to the directory that your files are hidden in and then hold down Shift and right click after that click on the open command window here. Then enter these:

attrib *. -h -s /s /d

Tell me the results. The command will show all of the hidden files including the system files. It doesn't change their system files; it just shows them which you can hidden them after.

Answer 9

I have resolved the same problem using this command:

chkdsk /x e: