Sunday, March 20, 2011

Recovering Complicated Hidden Files

There was a time when I had on my hands a USB memory which was supposed to be infected by a virus, and looking at it I realized that this malware had been erased many folders and files, but I first tried to see if they were only hidden.

Let's suppose that this was the USB file structure, with no virus.


Once the virus infected the USB, the situation changed into this. As you can see, there was no files inside, but going to the folder properties we could look at the line that it actually had 1 file and 1 directory.


Once the virus infected the USB, the situation changed into this. As you can see, there was no files inside, but going to the folder properties we could look at the image that it actually had 1 file and 1 directory.

The next thing I did was to show all hidden files but it didn't work, so I disabled the "Hide protected operating system files (recommended)" option , having as result this.

Therefore, the virus hadn't erased them, but only hidden them,  however, using the properties dialog of the file or folder couldn't be used because the "Hidden" property was in read-only mode as they were classified as system files.

To solve this, I had to use the "attrib" command to remove the system file mode from these files, to make this happen it's necessary to use the "-h" (unhide) and "-s" (system file) to remove these features to the files.


After this, the files will be normal as used to be. Remember that you have to use this command in the command line window that you can find in your "Start" menu.


No comments:

Post a Comment