I have just been given an external hard drive by a customer, where 3 years worth of videos had been deleted by an anti virus program (Microsoft Security Essentials). This of course is the customers view of things, coloured by the prospect of never seeing the videos again. I saw the history of the AV run, and it seemed to have deleted a bunch of .lnk files, but a quick look while on their computer shows no signs of the files. So I connected the external drive to my workshop PC, and lo and behold, the folders and files were all there, but the folders were all hidden system files. Being a workshop machine, I have the viewing of these files switched on all the time.
I ran a few antivirus jobs on the HD before doing anything, and deleted a few viruses.
The initial problems seems to be some virus (not sure which one of the viruses detected by MSE) had changed all the folders on the drive to hidden folders, but set up infected shortcuts to the folders. The change is invisible to the users, but each time a folder is clicked on, the infected file is run.
As all the shortcuts were removed by MSE, none of the files and folders were visible to the users. So what to do? My first idea was to create a shortcut to each folder, which gets around the problem quite easily, but is not really a good solution, adding a layer of complexity that wasn’t there before the initial problem. So I researched how to remove the system hidden folder attributes.
Simple really, in the CMD box, use the command attrib “file path” -s -h. File path only needs to be in quotes if there are embedded spaces in the name. Fortunately only 10 or so folders had been changed, and none of the folders within them. Change the minus signs to plus signs if you want to make a folder or file a hidden system file.
Now I just need to disinfect 2 PCs, possibly a media centre, and another external hard drive!