Virus hides files, shrinks total capacity

A virus infected my hard drive.

The drive's capacity is 1 TB and has different type of files on it, 400 GB+ in total. Suddenly all the files disappear, and I tried to show hidden files, but it only shows the autorun and a shortcut (probably virus). Its total capacity became 500 GB from 1 TB and the space occupied is 1 GB-, so I'm pretty confident that my files are hidden somewhere.

Just to be clear:

Before: 400 GB+ (space occupied) / 900 GB+ (total space)

Now: 800 MB+ (space occupied) / 563 GB (total space)

Screen shot:

Kelvin Barsana

Posted 2015-07-06T10:13:38.160

Reputation: 101

Have you ran an AV scan? Did you have anti-virus software to begin with? – zain.ali – 2015-07-06T10:18:14.803

yeah scanned the hdd and deleted the virus, even moved the drive to different computer as a slave but still no show – Kelvin Barsana – 2015-07-06T10:19:26.790

All My Files and Folders are Hidden after Rogue Virus attack – DavidPostill – 2015-07-06T10:20:14.433

tried to show hidden files but it only shows the autorun and bootsqm.dat and shows that there is no space occupied – Kelvin Barsana – 2015-07-06T10:22:06.837

not sure with the exact size range but im definite that if you deduct my files in the hdd which are now missing, youll get its present capacity which is shrinked – Kelvin Barsana – 2015-07-06T10:39:11.583

Post a screenshot of your Windows Disk Management screen. – qasdfdsaq – 2015-07-06T10:58:52.780

screenshot posted – Kelvin Barsana – 2015-07-06T11:06:15.150

Have you checked volume shadow storage, and the size of ‪C:\System Volume Information? You'll need to give yourself permissions on ‪System Volume Information before you can enumerate its size and contents. – Adam Thompson – 2015-07-06T11:15:16.107

im referring to drive E by the way, system volume information's file size in E is 2.89mb, how to check volume shadow storage? – Kelvin Barsana – 2015-07-06T11:19:07.810

Hi Kelvin,

have you tried using WinDirStat to see exactly where your space is going?

It may not be able to show you the files if the're hidden but should still show you the directory.

https://windirstat.info/download.html

– David Golding – 2015-07-10T09:27:45.100

2Option: If you can plug this hard disk to a linux based operating system or have a linux based operating system on a different partition, easily you can find all the files that are missing. – Chamath – 2015-07-10T10:43:18.300

@KelvinBarsana Maybe you could use something like MiniTool Partition Wizard to check for any hidden/lost partitions and recover them. For the first part of your question, Michał Sacharewicz's answer seems to be on point.

– Vinayak – 2015-07-10T13:52:42.613

The name of the virus would be relevant here to give any informed answer, otherwise there's just wild guesses. – Peter – 2015-07-11T07:37:41.090

Answers

I do not know how to recover the disk to former state, that is, to recover the directory structure of the dive without transfering the data to another disk and then retransfering it to the drive. But I can tell you how to see the files in the drive that are hidden(by viruses).
Open the drive, type *.* into the search field, this will show all the files and folders in that drive. I think this will do the trick because this happens to me often with virus infected drives and I find the files in it by this way.
Note: I am not sure whether this will work or not in your case because there is also a problem of reduced capacity with the drive.

RogUE

Posted 2015-07-06T10:13:38.160

Reputation: 2 431

Answer is much improved. – Ramhound – 2015-07-06T13:13:46.150

sorry, but it still doesn't show my files – Kelvin Barsana – 2015-07-07T06:34:42.590

Please attach a screenshot of TreeSize Professional to this post or to a support request at JAM Software. – Joachim Marder – 2015-07-07T10:48:11.833

@RogUE have tried it on linux and even its testdisk software but still no light – Kelvin Barsana – 2015-07-08T01:32:26.777

Use a disk space management tool to find out which folders occupy most or an unusual amount of your disk space. Make sure to run them "As Administrator" so that these tools are able to see the whole content of your disk.

There are two features of my tool TreeSize Professional (fully functional 30 day trial available without registration) which might help in this situation:

You can compare a previous state with a current state
When run "as administrator" TreeSize will scan the Master File Table (MFT) of NTFS drives which makes it more difficult for malicious files to hide.

Joachim Marder

Posted 2015-07-06T10:13:38.160

Reputation: 390

sorry, but it still doesn't show my files – Kelvin Barsana – 2015-07-07T06:39:51.500

Your files have been most likely hidden.

There was a popular virus some time ago that changed the file attributes to "hidden" and "system" (+hs).

When both those attributes are active, you cannot unhide the file via Windows GUI. The only alternative is to use command line and use the attrib command. You can check the manual for attrib command by typing attrib -h and clicking enter.

Please launch the command line using Ctrl+R and then typing cmd and pressing Run.

Basically, from that point you have two alternatives:

You can manually "unhide" selected files, specifying the path and filenames to the command. This may take really long time.
You can "unhide" whole E: drive at once using attrib -h -s E:\* /s /d. This command removes all "hidden" and "system" flags from your files, thus restoring them to life.

If the E: drive is not the system drive (ie. the drive that contains Windows), the second option will be a perfectly safe operation.

Michał Sacharewicz

Posted 2015-07-06T10:13:38.160

Reputation: 1 944

1-1. The disk itself is shown as smaller. Hiding files does not reduce disk capacity. – harrymc – 2015-07-11T07:07:30.990

There might be two steps of possible solutions:

First, find the list of hidden files in your desired drive by the following command.

Open a command prompt and change the directory to the root of your drive. Then run:

dir /s /a:h C:*.* > test.txt

Explanation:

dir: directory

s: show

This will list all your hidden files in your drive and listed at test.text.

Now open the files through copy pasting the directory in your explorer.

The second possible solution would be opening the recycler:

Navigate to your drive.
Click on Organize --> Folder Options
Navigate to view
Choose Show hidden files and folders and also uncheck the Hide protected operating system files
Click Apply and OK

Now you will find a drive with a folder named $recycle.bin. Open it and view for your hidden files.

BlueBerry - Vignesh4303

Posted 2015-07-06T10:13:38.160

Reputation: 7 221

1The disk itself is shown as smaller. Hiding files does not reduce disk capacity. – harrymc – 2015-07-11T09:01:08.690

Disk Management shows disk 0 as 931.5 GB, but E: has only 564 GB.

This could have been caused by a weird virus, but also by a problem with the firmware of the disk.

I would suggest the following :

Use a disk-backup product to backup the physical disk 0, sector-by-sector. You will need 1 TB of available disk-space on another disk. Check that the size of the backup is really 1 TB before continuing.
Deep-scan your computer for viruses using several well-known anti-virus products. You can use an online scan instead of installing them (requires Internet Explorer or Java), for example: Bitdefender, ESET, F‑Secure. Scan only the system disk, and especially do not scan E..
In Disk Management, right-click disk 0 and delete the volume, then recreate a volume and partition that span the whole disk.

The above procedure is risky and can cost you the contents of the disk, and also the backup in step 1 above is not guaranteed to succeed. If you have important data on the disk and no backup, use a commercial disk recovery service (not cheap) and next time keep a backup disk.

harrymc

Posted 2015-07-06T10:13:38.160

Reputation: 306 093

There is a big difference between 400GB and 800MB. It's my understanding that all files, not matter the attribute, are accounted for in the disk space chart, which means your hard drive has had the data erased. Have you tried using a recovery tool such as Recuva to recover the files? If you want to try it, make sure nothing is written to the drive, and if recovery is possible make sure that you opt to recover to a drive other than the one you are recovering files fro.

DaveTheMinion

Posted 2015-07-06T10:13:38.160

Reputation: 4 578

Command prompt

attrib -h -r -s /s /d H:\\*.\*

Replace the H in H:\\*.\* with your drive letter)

I didn't know this existed until now.

OverCoder

Posted 2015-07-06T10:13:38.160

Reputation: 154

i also tried the above command and didn't work, my files are not hidden in that kind of way – Kelvin Barsana – 2015-07-16T06:28:23.493

I have resolved the same problem using this command:

chkdsk /x e:

Hakim BOUMARAF

Posted 2015-07-06T10:13:38.160

Reputation: 1

Try using cmd. Go to the directory that your files are hidden in and then hold down Shift and right click after that click on the open command window here. Then enter these:

attrib *. -h -s /s /d

Tell me the results. The command will show all of the hidden files including the system files. It doesn't change their system files; it just shows them which you can hidden them after.

shayn

Posted 2015-07-06T10:13:38.160

Reputation: 27

attrib *. -h -s /s /d – shayn – 2015-07-06T12:02:21.357

2It is not polite to tell people to run commands that will significantly change their file system, without explaining what the commands do. Many people would not want to randomly remove the hidden and system file attribute from significant numbers of files. – ChrisInEdmonton – 2015-07-06T12:32:48.273

well if a virus is hiding your file then it is very likely that after deleting the virus your files are still hidden.one way to show these files is using cmd. the command will show all of the hidden file including the system files.it doesn't change their system files it just shows them which you can hidden them after. – shayn – 2015-07-06T12:37:10.840

short version: nothing bad happens to your files or system – shayn – 2015-07-06T12:40:33.583

@vaasmontenegro - Do yourself a favor. Modify the answer so you fully explain what the command does. – Ramhound – 2015-07-06T12:50:28.107

now do your self a favor give my answer a +1 – shayn – 2015-07-06T13:02:27.780

@vaasmontenegro - Answer is much improved. An answer that requests additional feedback from the author of the question isn't going to recieve an upvote though. – Ramhound – 2015-07-06T13:14:51.490

sorry, but it still doesn't show my files – Kelvin Barsana – 2015-07-07T06:40:15.663