A virus deleted your files — but before you run recovery software, you need to know which of three very different situations you're actually dealing with. In many cases, your files are not deleted at all, and the fastest fix takes under five minutes.
This guide covers all three scenarios with step-by-step instructions for each.
Part 1. What Actually Happens When a Virus "Deletes" Your Files
When a virus appears to delete your files, one of three things has typically happened. Understanding the difference determines which recovery method will work.
Scenario A — Files are truly deleted. The virus removed the file system entries, making files disappear from Windows Explorer. The underlying data often remains on the drive until new data overwrites it, which means recovery software can frequently find and restore these files.
Scenario B — Files are hidden by the virus. Many viruses, especially USB shortcut viruses, don't delete files at all. They change file attributes to HIDDEN and SYSTEM, making files invisible without touching the actual data. The files are still there — they're just not visible.
Scenario C — Your antivirus quarantined or deleted the files. Windows Defender and third-party antivirus programs sometimes flag legitimate files as threats and move them to quarantine. If you ran a scan right before files disappeared, this is a likely cause.
⚠️ Important: Stop using the affected drive the moment you notice files are missing. Every file you save, every program you run, and every Windows update increases the chance that deleted file data gets permanently overwritten.
Part 2. Diagnose Your Situation Before You Do Anything
Use this table to identify which scenario applies to you before attempting any recovery method.
| Clue | Most Likely Scenario | Next Step |
|---|---|---|
| Files disappeared after running a virus scan | Antivirus quarantined them (Scenario C) | Check Protection History first |
| Files replaced by shortcuts (.lnk files) | Virus hid files (Scenario B) | Run attrib command |
| Drive shows less free space than expected | Files still present but hidden (Scenario B) | Run attrib command |
| Drive free space increased after infection | Files were deleted (Scenario A) | Use data recovery software |
| Files disappeared with no scan involved | Could be A or B | Check hidden files first, then recovery software |
| Files missing from USB/external drive after connecting to infected PC | Likely hidden (Scenario B) | Run attrib command |
💡 Tip: Check the drive's free space before and after. If free space increased significantly after the infection, data was likely deleted. If free space stayed the same or decreased, files are probably still on the drive in a hidden or quarantined state.
Part 3. Scenario B Recovery — Unhide Files a Virus Hid From You
This is the fastest fix and should be tried first if your drive's free space hasn't changed.
Step 1: Open Command Prompt as Administrator
Press Win + R, type cmd, then press Ctrl + Shift + Enter. Click Yes at the UAC prompt.
Step 2: Navigate to the affected drive
Type the drive letter followed by a colon and press Enter. For example, if your files are on drive D or a USB drive labeled E:
D:
Step 3: Run the attrib command
attrib -h -r -s /s /d *.*
This single command removes the Hidden, Read-only, and System attributes from all files and folders on the drive, including subfolders.
| Flag | What It Does |
|---|---|
-h | Removes the Hidden attribute |
-r | Removes the Read-only attribute |
-s | Removes the System attribute |
/s | Applies to all files in subfolders |
/d | Applies to directories as well |
*.* | Targets all files |
Step 4: Open File Explorer and check
After the command finishes (it may take a minute on large drives), open the drive in File Explorer. Your files should now be visible.
💡 Tip: If you still see shortcut (.lnk) files alongside your recovered files, delete the shortcuts — they are left behind by the virus and serve no purpose once the hidden files are restored.
🗣️ r/datarecovery user: "A Trojan replaced all my shortcuts with white icons. Thought everything was deleted. Used the attrib command and my files were just hidden — got them all back in 5 minutes."
Part 4. Scenario C Recovery — Restore Files Your Antivirus Quarantined
If you ran Windows Defender or another antivirus before files went missing, check quarantine before using any recovery software.
Restore from Windows Defender (Windows Security)
- Open Windows Security — search for it in the Start menu
- Click Virus & threat protection
- Click Protection history
- Look for items marked "Quarantined" with a date matching when your files disappeared
- Click on the item and select Restore
Restore using Command Prompt (if GUI doesn't show a Restore button)
Open Command Prompt as Administrator, then run:
cd "C:\Program Files\Windows Defender"
MpCmdRun.exe -restore -listall
This lists all quarantined items. To restore a specific file:
MpCmdRun.exe -restore -name "ThreatName"
Replace ThreatName with the name shown in the list output.
For third-party antivirus programs
Most antivirus programs store quarantined files in their own interface. Open your antivirus dashboard, look for a section called Quarantine, Vault, or Threats Handled, and look for a Restore option next to each item.
🗣️ r/antivirus user: "I ran Malwarebytes and it cleaned everything but now half my documents are gone. Turns out the antivirus quarantined them — check Windows Security > Protection History before assuming they're lost forever."
💡 Tip: If your antivirus quarantined a file you know is legitimate (a work document, a photo), you can add that file's folder to the antivirus exclusion list after restoring, to prevent it from being quarantined again.
Part 5. Scenario A Recovery — Recover Files the Virus Truly Deleted
If the attrib command didn't restore your files and quarantine is empty, the virus likely deleted the actual file system entries. The data may still be physically present on the drive until overwritten — but you need recovery software to find it.
Free option: Windows File Recovery (Microsoft's official tool)
Windows File Recovery is a free command-line tool from Microsoft available in the Microsoft Store. It works on Windows 10 and Windows 11.
Basic usage to recover files from drive D to a recovery folder on drive E:
winfr D: E:\recovery /extensive
The /extensive mode performs a deeper scan and is recommended after virus-related deletion.
When to use dedicated data recovery software
Windows File Recovery works well for many situations, but dedicated data recovery software may provide better results when:
- Files were deleted some time ago
- The drive has had significant activity since the deletion
- You need a visual preview before recovering
- You are not comfortable with command-line tools
Ritridata is designed for exactly these situations — including virus and malware data loss scenarios.
Part 6. Recovery Safety Rules
Following these rules gives you the best chance of a successful recovery.
Rule 1 — Stop writing to the drive immediately. Every new file saved to the affected drive may overwrite the deleted file data you are trying to recover. Disconnect the drive from the internet and pause all background activity if possible.
Rule 2 — Remove the virus before recovering. Run a full antivirus scan with Windows Defender or Malwarebytes before recovery to ensure the malware cannot re-delete your recovered files.
Rule 3 — Always recover to a different drive. Never save recovered files back to the drive you are recovering from. Use an external drive, USB, or another internal partition as the destination.
Rule 4 — Handle recovered files carefully. If you recovered files from an infected drive, scan them with antivirus before opening them. Some viruses attach themselves to documents and executables.
⚠️ Important: Recovering files to the same drive you are scanning is one of the most common mistakes — it can permanently destroy the data you are trying to save. Always use a separate destination drive.
Part 7. Recover Virus-Deleted Files with Ritridata
Ritridata supports recovery from virus and malware data loss scenarios. It scans the drive at a low level to find deleted file signatures, allows you to preview recoverable files before committing to recovery, and saves them safely to a separate location.
Step 1 — Select the drive or location where files were lost
After launching Ritridata, choose the drive that was affected by the virus — this may be your main C: drive, an external hard drive, or a USB drive.
Step 2 — Run a safe scan
Ritridata scans the drive without writing any data to it, so your remaining recoverable files stay intact during the scan process.
Step 3 — Preview and recover to another drive
Browse the scan results, preview files to confirm they are intact, then select a different drive as the save destination. Recovering to a separate drive helps prevent overwriting any remaining deleted data.
FAQ
Can files deleted by a virus actually be recovered?
In many cases, yes. When a virus deletes files, it typically removes the file system entry but leaves the underlying data on the drive. As long as new data hasn't overwritten that space, recovery software may be able to locate and restore the files. Success depends on how much activity has occurred on the drive since the deletion.
How do I know if a virus hid my files or deleted them?
Check the drive's free space. If the free space is roughly the same as before the infection, files are likely still present but hidden. If free space increased significantly, files were probably deleted. You can also run the attrib command — if it reveals files, they were hidden.
Will Windows Defender restore files it quarantined?
Yes, in most cases. Open Windows Security, go to Virus and threat protection, click Protection history, find the quarantined item, and select Restore. If the Restore option is not available, you can use the MpCmdRun.exe command-line tool.
Is it safe to recover files from an infected drive?
It can be done safely if you take precautions. Remove the virus with a full antivirus scan before recovering, use a separate destination drive for recovered files, and scan recovered files again before opening them. Using a virtual machine to inspect recovered files adds another layer of protection.
What is the attrib command and is it safe to use?
The attrib command is a built-in Windows utility that changes file attributes. Running attrib -h -r -s /s /d *.* is safe — it only removes the Hidden, Read-only, and System flags from files. It does not delete or modify any file content.
What if my files were encrypted by ransomware?
Ransomware is a different situation from typical file deletion. Encrypted files typically cannot be recovered with standard data recovery software — the data is still there but scrambled. In this case, check if a free decryptor exists for your specific ransomware strain at No More Ransom, a free resource maintained by cybersecurity organizations.
Should I use multiple recovery tools at once?
Running multiple recovery tools simultaneously on the same drive is not recommended. Each tool may write temporary data during scanning, which could overwrite the deleted file data you are trying to recover. Use one tool at a time, and always recover to a different drive.
Can I recover files from a USB drive that was infected?
Yes. Connect the USB to a clean computer (one without an active infection), then follow the same process — try the attrib command first, check antivirus quarantine if applicable, and use recovery software if files were genuinely deleted.