Viruses and other kinds of malicious programs are responsible for countless data loss horror stories every day, and even tech-savvy users with plenty of experience under their belts are not completely safe from them.
But not all data loss horror stories have bad endings. As long as you know how to recover virus-infected files, you have a fairly good chance of turning the terrible situation around and saving your precious data, and that’s exactly what this article is here to teach you.
Not All Viruses Are Created Equal
In this article, we use the term “virus” loosely to encompass a broad range of malicious programs, also referred to as malware.
Instead, let’s focus only on the most important classes of viruses and their potential for causing data loss.
File-Infecting Viruses (✅ Recoverable)
Viruses that belong in this class infect mainly executables, such as .exe, .com, etc. Infected executables can make your OS unstable and generate error messages that interrupt your work. In extreme cases, file-infecting viruses can cause the entire storage device to become raw, making it impossible to access any files that were stored on it.
Solution: You should start by disconnecting the infected drive and connecting it as a non-system drive to an isolated computer. Then, you can attempt to perform data recovery using readily available data recovery software.
Macro Viruses (✅ Recoverable)
This type of virus is commonly found in Office documents, such as those created using Word or Excel. Many Office documents have built-in support for Visual Basic code, which allows cybercriminals to hide viruses inside them. When the user opens an infected document, they also open the virus hidden inside, allowing it to access other parts of the system.
Solution: Problems with macro viruses can be avoided by disabling Visual Basic support in Office applications. Already infected documents that have been corrupted can often be reconstructed using data recovery software.
Web Scripting Viruses (✅ Recoverable)
Web scripting viruses are installed directly from the internet when you visit a malicious website or download an infected file. Such viruses can upload your data to a remote server and then delete it to cause even more damage.
Solution: To stop web scripting viruses, you should disconnect your PC from the internet by unplugging the network cable. Then, scan the drive for deleted data using data recovery software and save all recovered files. If you want to be extra safe, you can format the infected drive and reinstall your entire operating system.
Boot Sector Viruses (✅ Recoverable)
Boot sector viruses are written directly to the boot sector, causing them to be executed each time the infected computer starts. Because this class of viruses often blocks access to the operating system, recovering lost files is slightly more complicated, but not impossible.
Solution: You should connect the infected drive to another PC and scan it using data recovery software. After completing the recovery, we recommend you format the entire drive, including the boot sector, to get rid of the virus.
Resident Viruses (❓ Potentially Recoverable)
Resident viruses hide in your computer’s memory (RAM), which allows them to easily spread to other parts of your computer and infect all data they come into contact with.
Solution: The recovery of lost data after infection by a resident virus is, unfortunately, not always possible. While some resident viruses only block logical access to files by changing their attributes and deleting the pointers that are used to access them, others are far more devastating and may permanently delete the files they encounter.
Encrypt Viruses (❓ Potentially Recoverable)
Encrypt viruses include the most talked-about type of malware today: ransomware. The purpose of ransomware is to block access to data by encrypting it using a strong encryption algorithm. The attackers then threaten the victim to make the encrypted data irrecoverable unless a ransom is paid.
Solution: Some encrypt viruses rely on weak or poorly implemented encryption algorithms, which can be easily defeated using readily available decryptors. However, there are also many strains of ransomware whose implementation of file encryption is virtually flawless and thus impossible to defeat.
Spacefiller Viruses (❌ Irrecoverable)
This rather rare class of viruses is characterized by its insatiable hunger for empty disk space. When a spacefiller virus encounters any disk space that hasn’t yet been filled, it quietly installs itself there, making detection difficult.
Solution: Spacefiller viruses don’t always cause direct damage, but they may overwrite files that have been deleted (both intentionally and unintentionally) some time ago, making their recovery impossible even with the best data recovery software.
Overwrite Viruses (❌ Irrecoverable)
As their name suggests, overwrite viruses aim to cause damage by overwriting system files and user data. One commonly encountered overwrite virus is called LoveLetter. This dangerous virus has the ability to act as a trojan and an email worm, which allows it to spread quickly and across multiple networks.
Solution: Since it’s impossible to recover overwritten files, the best thing you can do is to prevent the further spread of the overwrite virus you’ve encountered by formatting the infected drive.
How to Recover Virus Infected Files?
As we’ve explained in the first part of this article, not all viruses are created equal, so you can’t expect a single recovery strategy to address all cases of virus infection that you may possibly encounter.
In this part, we describe several common virus infection scenarios and provide detailed step-by-step instructions to explain how you can recover from them.
Recover Hidden Files from a Virus Infected USB Flash Drive
Because USB flash drives are primarily used to transfer files between different computers, they often become infected with viruses, trojans, and other malware.
If you’re suddenly missing files that were stored on your USB flash drive, the chances are that they’ve been hidden by one of the viruses described above. The good news is that unhiding them may still be possible, as long as you act quickly and follow our instructions.
Reset all file attributes to unhide files hidden by a virus:
- Press Win + X and select Windows PowerShell (Admin).
- Navigate to the infected USB flash drive using the cd command.
- Enter: attrib -h -r -s /s /d X:\*.* (replace X with your drive letter)
If you’re lucky, then this is all you need to do to regain access to your hidden files. The same instructions can also help you get rid of the so-called Recycler virus, a commonly encountered variation of the W32.Lecna.H worm.
Safely Recover Files from an EXE Virus
EXE viruses are the most common type of file-infecting viruses. They can be encountered on malicious websites, found bundled with shady software, or disguised as legitimate files on file-sharing websites.
Just like all other file-infecting viruses, EXE viruses can disable parts of the operating system, hide important files, or even cause widespread data corruption. While files that are hidden by a Trojan can usually be recovered with nothing but the attrib command (see the previous method), proper data recovery software is typically needed to recover from an EXE virus.
Step 1: Install data recovery software
There are many data recovery software solutions that can help you safely recover files from an EXE virus, but we recommend Disk Drill.
Why? Because Disk Drill is easy to use yet powerful enough to recover over 400 file formats from all commonly used Windows, macOS, and Linux file systems. Best of all, you can use it to preview an unlimited number of files to verify their recoverability before paying any money to get them back.
Just make sure to install Disk Drill on a different storage device than the one you want to recover to avoid overwriting the very same data you’re trying to save.
Step 2: Scan the infected drive
Assuming you’ve picked Disk Drill as your data recovery software of choice, all you need to scan the infected drive is select it and click the Search for lost data button. Disk Drill will automatically run all recovery algorithms in the optimal order.
Step 3: Select files for recovery
Depending on the size of your storage device, it might take Disk Drill a short while to finish scanning for lost data, so be patient and let it do its job. Once the scan is over, you can preview all recoverable files and select those you want to get back.
Use Disk Drill’s handy search results filters to easily locate the data you want to recover while hiding everything else.
Step 4: Recover selected files to a safe location
Next, click the Recover button to recover the selected files. Disk Drill will ask you to specify the recovery directory, and you should select a folder that’s located on a different storage device than the one you’re recovering from. Again, this is to avoid overwriting the same files you’re trying to recover.
Step 5: Format the infected drive
Finally, you should format the infected drive to prevent the spread of the virus. We recommend you complete this step even if you’ve already deleted the virus using an anti-malware solution like Microsoft Defender because you don’t want to take any chances when it comes to viruses.
Recover Ransomware Infected Files
There’s a good reason why ransomware attacks have been making the headlines for years now: they’re extremely difficult to recover from. There were many high-profile instances where infected individuals and organizations alike decided to pay a hefty ransom just to regain access to their lost files.
But paying a ransom doesn’t guarantee you or your organization will get any data back, as explained by the FBI. Unsurprisingly then, the FBI doesn’t support paying a ransom in response to a ransomware attack. Instead, you should attempt to decrypt your files and, if that fails, recover them from a backup.
Option 1: Decrypt files encrypted by ransomware:
- Remove the ransomware using a reputable anti-malware solution, such as Windows Defender and its Offline scan option.
- Find the latest decryptor for the ransomware.
- Download and launch the decryptor.
- Use the decryptor to scan the encrypted storage device.
- Wait for your files to be decrypted.
If you’re attempting to recover ransomware infected files from a system drive, then we recommend you disconnect it and decrypt it as a secondary drive from a clean computer.
Option 2: Recover ransomware infected files from a backup:
Are you unable to find a suitable decryptor for the specific strain of ransomware that has encrypted your files? In that case, your only salvation is an existing backup (local or cloud).
Before you recover lost files from a backup, make sure that the ransomware responsible for their loss has been completely removed from your system. It’s a good practice to format all potentially infected storage devices and reinstall the operating system after every infection.
The actual steps you need to take to recover your data depend entirely on your data backup method of choice. When recovering from a local backup, you can simply drag & drop your files. On the other hand, most cloud backup solutions come with a backup tool to help you synchronize local and remote files.
There are countless different types of viruses, some more dangerous than others. In this article, we described several recovery methods to help you regain access to files that have been hidden, deleted, and encrypted. Hopefully, this will be your last encounter with a virus—or at least virus-caused data loss.