Files hidden by a virus are almost never actually deleted — viruses typically set the Hidden and System file attributes to make Windows stop displaying your files in Explorer. Your data remains intact on the drive, waiting to be revealed. This guide walks you through a three-tier recovery approach, from the fastest 30-second fix to handling aggressive variants that even the attrib command cannot touch.
Part 1. Why Viruses Hide Files (and Why That Is Good News)
Viruses hide files by flipping two Windows file attributes: Hidden and System. With both flags set, Windows Explorer and most file managers skip those files entirely — they appear to vanish. The files themselves remain untouched on disk.
This behavior is good news. Because the files are not deleted, you do not need to recover anything in the traditional sense — you need to reveal what is already there. The storage space on your drive is still consumed, which is the fastest way to confirm your files are present.
How to verify files are hidden, not deleted:
- Open File Explorer and right-click your drive (e.g., D:).
- Select Properties.
- Check the Used Space value.
If the used space matches what you expect (or close to it), your files are still on the drive — they are just hidden. Only proceed to data recovery software if the used space is unexpectedly low.
💡 Tip: Write down the used space number before you start any recovery steps. This gives you a baseline to confirm that files are still present throughout the process.
Part 2. The Three-Tier Recovery Approach
Different virus variants hide files in different ways. Use the tier that matches your situation, starting from Tier 1 and escalating only if needed.
| Recovery Tier | When to Use | Success Rate | Tools Needed |
|---|---|---|---|
| Tier 1 — Windows UI | Simple hidden attribute only | High (common viruses) | File Explorer (built-in) |
| Tier 2 — attrib command | Hidden + System attributes set by virus | High (shortcut/autorun viruses) | Command Prompt (built-in) |
| Tier 3 — Recovery software | attrib fails; files show as 0 bytes; aggressive variant | High for file-signature scan | Ritridata or similar |
Start at Tier 1. If your files do not reappear, move to Tier 2. Reserve Tier 3 for cases where both free methods fail.
Part 3. Tier 1 — Show Hidden Files via Windows Explorer
This is the fastest fix and works for viruses that set only the Hidden attribute.
Steps:
- Open File Explorer.
- Click the View menu at the top.
- Select Show → check Hidden items.
- Also open Folder Options (View → Options) → View tab → uncheck Hide protected operating system files (Recommended).
- Click Apply to Folders, then OK.
Your files should now be visible. If they appear but still have a faded icon, right-click the file → Properties → uncheck Hidden → click Apply.
💡 Tip: After unhiding files, move them to a clean drive or folder immediately. Do not leave recovered files on the infected drive while you still have not removed the virus.
Part 4. Tier 2 — The attrib Command (Works for System + Hidden Attributes)
Most shortcut viruses and autorun viruses set both the Hidden (-h) and System (-s) attributes. Windows Explorer's "show hidden files" toggle only removes the Hidden filter — it does not override the System attribute. The attrib command removes both.
Steps:
- Press Windows + R, type
cmd, right-click Command Prompt, and choose Run as administrator. - Type your drive letter and press Enter (e.g.,
D:then Enter). - Run this command — replace
Xwith your actual drive letter:
attrib -h -r -s /s /d X:\*.*
What each flag does:
| Flag | Meaning |
|---|---|
-h | Remove Hidden attribute |
-r | Remove Read-only attribute |
-s | Remove System attribute |
/s | Apply recursively to all subfolders |
/d | Apply to directories as well as files |
- Wait for the command to finish. Open File Explorer and check your drive.
- Delete any
.lnkshortcut files that the virus left behind.
🗣️ r/techsupport user: "I've been having a persistent problem with the shortcut virus. The methods online do help (that 'attrib' thing) but mine seems to come back immediately."
This is a common experience. The attrib command fixes the drive, but if your PC is still infected, the virus will re-hide the files the next time you plug in the drive. Always scan and clean your PC before running attrib, not after.
⚠️ Important: If your files reappear after
attribbut then disappear again after a reboot or reconnect, your computer itself is infected and is re-hiding the files. Run a full malware scan with Malwarebytes on the PC first, then repeat theattribcommand.
Part 5. The "0 Bytes" Problem — The Variant Most Guides Miss
Some aggressive virus variants go a step further: they change the file extension in addition to setting Hidden and System attributes. For example, a file called report.docx might be renamed to report.3p19kn. When you run attrib and the file reappears, it shows a size of 0 bytes and Windows cannot open it.
🗣️ r/datarecovery user: "Files were set as hidden with a changed extension (e.g., .3p19kn) after a virus attack. Files located but showed 0 bytes in directory listings."
The file data is not gone. The virus corrupted the file system metadata — specifically the extension and size entry in the directory table — but the raw file content on disk is intact. Standard Windows tools cannot read it because they rely on that metadata.
Why attrib alone cannot fix this:
attribonly changes file attributes (Hidden/System/Read-only).- It cannot correct a corrupted file extension or repair the directory entry.
- Windows reads the extension to determine file type — a wrong extension means Windows cannot identify or open the file.
The fix: file-signature scanning (Tier 3). Data recovery software reads the raw bytes of each file and identifies the true file type from its internal signature (also called a "magic number"). A .jpg file always starts with FF D8 FF, regardless of what extension the virus assigned. Signature scanning finds and correctly labels these files without relying on the corrupted metadata.
💡 Tip: Before running a signature scan, check used space on the drive again. If the drive still shows significant used space despite files appearing as 0 bytes or missing, the raw data is there — signature scanning will find it.
Part 6. Virus Type vs. Hiding Method — Quick Reference
Different malware families use different tactics. Knowing which type you are dealing with helps you choose the right fix faster.
| Virus Type | Hiding Method | What You See | Best Fix |
|---|---|---|---|
| Shortcut virus (autorun) | Sets H+S attributes; creates .lnk shortcuts | Drive shows only shortcuts | Tier 2: attrib command |
| Autorun.inf virus | Sets H+S; modifies autorun.inf for persistence | Files gone; autorun runs on connect | Tier 2 + delete autorun.inf |
| Trojan / aggressive malware | Changes extension + H+S attributes | Files show as 0 bytes or wrong type | Tier 3: signature-based scan |
| Ransomware-adjacent variant | Encrypts + hides; may also delete originals | Files missing or encrypted | Tier 3 + check for backup |
Part 7. Tier 3 — Recover Files with Ritridata
When attrib fails or your files show as 0 bytes, you need a tool that bypasses corrupted file system metadata and reads raw disk data. Ritridata scans the drive by file signature — identifying every recoverable file by its internal byte pattern, not by extension or directory entry. This makes it effective for the 0-bytes variant and for cases where the virus damaged the file allocation table.
Step 1 — Select the infected drive or USB
Open Ritridata and choose the drive or external storage device where files were hidden. For USB drives, select the drive letter assigned by Windows.
Step 2 — Run a safe scan
Click Scan. Ritridata performs a non-destructive read of the raw drive data. It does not modify any existing files or attributes during the scan.
Step 3 — Preview and recover to a different drive
Browse the scan results, preview files to confirm they are intact, and recover them to a different drive — never back to the infected source drive.
💡 Tip: After recovering your files, do not open them until you have removed the virus from your system. Opening files on an infected machine risks re-infection or re-hiding.
Part 8. After Recovery — Remove the Virus and Prevent Re-Hiding
Recovering your files is only half the task. If the virus remains on your system, it will re-hide the files the moment you reconnect the drive.
Remove the virus first:
- Disconnect the affected drive.
- Run a full system scan with Malwarebytes Free or Windows Defender Offline Scan on your PC.
- Remove all detected threats and reboot.
- Reconnect the drive only after the PC is clean.
Prevent re-hiding via autorun.inf: The shortcut virus spreads by placing a modified autorun.inf file on USB drives. When you plug the drive into a PC, Windows (on older systems) auto-runs the virus. On modern Windows 10/11, autorun is disabled by default — but the virus may still execute if you manually open the drive.
Prevention steps:
- Delete any
autorun.inffile at the root of USB drives you receive from untrusted sources. - Do not double-click to open USB drives — use the address bar in File Explorer to navigate directly.
- Keep Windows Defender real-time protection enabled.
Frequently Asked Questions
Can a virus permanently delete my files, or just hide them? Most common viruses — shortcut virus, autorun virus — hide files by changing attributes. They do not delete the underlying data. However, some advanced malware (ransomware, wipers) can encrypt or delete files. Check your drive's used space: if storage is still consumed, files are present and recoverable.
Why do my files show as 0 bytes after a virus attack? This is the signature of an aggressive variant that changes the file extension in addition to hiding the file. The raw data is still on disk, but the file system entry shows the wrong size and type. Standard tools cannot read it. Signature-based recovery software identifies files by their internal byte pattern and recovers them correctly.
The attrib command says "Access Denied" — what do I do? You must run Command Prompt as Administrator. Right-click the Command Prompt icon in the Start menu and select Run as administrator. Then retry the command.
My files came back after attrib, but disappeared again after a reboot. Why? Your PC is still infected. The virus is running in the background and re-setting file attributes every time the drive is connected. Scan your computer with an antivirus tool, remove all threats, and then run attrib again.
Should I format the drive to remove the virus? No. Formatting destroys the file data along with the virus. Your files are almost certainly still on the drive — formatting removes any chance of recovering them. Use an antivirus scan instead, then recover your files with the methods in this guide.
Can I use Ritridata to recover files from a virus-infected USB drive? Yes. Ritridata supports USB drives, external hard drives, and internal storage. The scan is read-only and does not modify the infected drive.
What is autorun.inf and why does the virus use it? autorun.inf is a configuration file that tells Windows what to do when a drive is connected. The shortcut virus places a malicious autorun.inf on USB drives so it executes automatically, spreading to any PC the drive touches. Deleting autorun.inf from the root of the USB removes this persistence mechanism.
Does the attrib command work on external hard drives, not just USB drives? Yes. The command works on any drive letter — internal HDD, SSD, USB flash drive, or external hard drive. Replace X: with the correct drive letter for your device.
References
- Microsoft Support — How to show hidden files in Windows
- Microsoft Docs — Attrib command reference
- r/techsupport — Shortcut virus discussion thread
- r/datarecovery — Files show as 0 bytes after virus
- Microsoft Support — Windows Defender Offline Scan