Recover Files Deleted by a Virus

How to Recover Data From a Virus-infected Computer (All 3 Scenarios)

Last updated:
Rating: 5.0 / 5
Votes: 1

No robots used, our articles are crafted by humans under strict Editorial Guidelines.

Written by Manuviraj Godara Manuviraj Godara Staff Writer • 70 articles Manuviraj Godara recently joined the staff writers team at Handy Recovery Advisor, having initially contributed as a writer in 2021. His primary expertise lies in resolving data issues on Windows machines, and he has recently begun to explore Apple-related topics. LinkedIn Edited by Roman Demian Roman Demian Junior Content Editor and QA Specialist • 42 articles Roman Demian is a Junior Content Editor and QA Specialist at Handy Recovery Advisor. Since joining in mid-2024, he has been essential in keeping our content up-to-date. Roman identifies outdated or inaccurate information in older articles, updates them to current standards, and enriches our content with valuable and engaging information. LinkedIn Approved by Andrey Vasilyev Andrey Vasilyev Editor Andrey Vasilyev is an Editorial Advisor for Handy Recovery. Andrey is a software engineer expert with extensive expertise in data recovery, computer forensics, and data litigation. Andrey brings over 12 years of experience in software development, database administration, and hardware repair to the team. LinkedIn

Have viruses deleted important files from your computer? Or has a sudden infection left your photos, documents, or entire OS inaccessible? This is a problem many people have dealt with since at least 1986, when the first computer virus appeared. Thankfully, it’s often a problem that can be resolved. Our team put together this guide, which has already helped many people, and it might help you too. Stick with us, and you’ll learn how to recover data from a virus-infected computer and keep your system safe moving forward.

🗨️

Can a computer virus delete files? Absolutely, computer viruses can delete, corrupt, or modify your files. Viruses do this in ingenious ways. An example could be ransomware that encrypts your files until you pay a certain fee to the hacker to unlock your data. Some viruses delete files as soon as you click on them, and so forth. There are also cases in which a virus simply wipes out the entirety of your hard disk drive.

Quick Guide to Virus Attack Recovery

Over the years, we’ve tried countless methods to recover files after a virus attack. To make things simpler, we’ll present three scenarios based on how severe the infection is and what’s happening with your data.

Our terms Cleaned, Soft-Infected, and Hard-Infected aren’t technical—they’re just a way to structure this article. Here’s what we mean:

  • Cleaned: Virus removed, just need to recover lost files.
  • Soft-Infected: Virus still present, needs to be dealt with first.
  • Hard-Infected: Major damage done, system might be unbootable or data locked.

Scenario

Key Steps

Scenario #1: Cleaned PC Recover Files Deleted by a Virus on a Cleaned System

  1. Verify the system is truly clean.
  2. Use data recovery software.

Scenario #2: Soft-Infected PC Recover Files Deleted by a Virus on a Soft-Infected System

  1. Scan your system with Windows Defender.
  2. Scan your system with 3rd party antivirus software.
  3. Try to recover hidden files from virus-infected USB/PC using CMD.
  4. Recover missing files with data recovery software.

Scenario #3: Hard-Infected PC Recover Data from a Severely Infected Computer that Won’t Boot.

  1. Boot from Live Rescue media.
  2. Run a virus scan to eliminate threats.
  3. Attempt to boot into Windows normally.
  4. If Windows boots successfully, install and run a data recovery application to retrieve files deleted by the virus.

If the Computer Cannot Boot Normally:

  • Option A: scan the Drive on a different computer
    1. Safely shut down the infected PC and disconnect it from power.
    2. Carefully extract the hard drive from the computer.
    3. Use a USB-to-SATA adapter or directly connect the drive to another computer.
    4. Use your chosen data recovery tool to scan the connected drive and recover necessary files.
  • Option B: Use Professional Recovery Services

Scenario #1: How to Recover Files Deleted by a Virus on a Cleaned PC

The first and easiest situation to deal with is when all you need is to recover files deleted by a virus, after you’ve already removed it and your system is in good shape and virus-free.

⚠️

Only move forward if you are completely sure your system is clean. Run full scans with a few antivirus programs, like Avast and Windows Defender, to confirm the virus is completely gone. If the computer is still infected, the virus could delete or corrupt your recovered files again, making your efforts pointless. Take the time to remove every threat before starting the recovery process. Read the section on malware removal to know more about this. If you have already done this, here is how to proceed further to recover your files.

Data recovery software is your best option (if you don’t have backups) to recover deleted documents, archives, images, videos, and more after a virus attack.

Over the years, we’ve tested and reviewed plenty of tools. For this article, we chose Disk Drill for the demonstration. We’ll explain exactly why it’s our top choice at the end, but first, let’s get into how to recover data deleted by a virus using Disk Drill:

  1. Download Disk Drill and install the program. If possible, always install recovery tools on a drive different from the one you’re recovering files from to avoid overwriting the deleted data.
  2. Open Disk Drill and select the partition or drive that contained the files deleted by the virus. Click on Search for lost data to begin the data recovery scan.Click Search for Lost Data
  3. You can click Review found items to view the recoverable files in real-time, or wait for the scan to complete. You can directly click on the file type on this screen to directly view recoverable videos, music, documents, archives, and images.Click on any of these categories to see a list of files
  4. Disk Drill organizes recoverable files into subcategories like Deleted or Lost (recently deleted files with names and structures intact), Existing (files still on the drive), and Reconstructed (files rebuilt from data fragments without original names or folders).You’ll see subcategories like Deleted or Lost, Reconstructed, and Existing
  5. Use the filtering tools to sort files by type, size, or modification date to narrow down the results. You can also use the search bar at the top-right corner of the window to filter out files even further (type a file name, part of a name, or a specific extension).
  6. Select the files you want to recover. Remember, you can either click on the eye icon or simply double-click the file to see a preview of almost any file type such as JPG, TXT, and others that your system or third-party apps on your system can view.Check the boxes next to files
    🗨️

    Look at a Recovery Chances column for each file, which indicates how likely it is to recover the file fully intact. Also, if you can preview the file, it means the file is definitely recoverable.

  7. After selection, click on Recover.Choose a recovery destination
  8. Choose a recovery destination for the files. Select a drive/partition different from the one you’re recovering files from, if possible.
  9. Disk Drill will recover the files to the selected location.

Disk Drill is a highly capable data recovery tool that can handle all kinds of virus-related data loss scenarios. Whether the issue involves simple deletions or more severe cases, like when a virus compromises the file system or formats your drive. In many cases, you can recover files from “quick” formatted storage, unlike “full” formats that erase data completely.

And now, as promised, here’s what makes Disk Drill perfect for data recovery, especially in scenarios where a virus has deleted your files:

  • It works with all kinds of storage devices, including internal system drives, external hard drives, SSDs, USB flash drives, and memory cards. Be prepared that data recovery from an internal/system SSD is often impossible due to the TRIM feature, which automatically completely erases deleted data to maintain the drive’s performance.
  • Supports all the commonly used file systems, such as NTFS, FAT32, exFAT, and more. NTFS should be of particular interest since, if the virus affected your system drive (and not an external device), it’s most likely formatted with NTFS.
  • Most likely, since your PC is clean, Disk Drill will scan for recently deleted files, which is the easiest case for this kind of tool. However, keep in mind that there are different virus-related file loss scenarios, and this app offers various scanning modes to handle them: Quick Scan (perfect for recovering files that were recently deleted by a virus), Deep Scan (for situations where a virus reformatted your drive or corrupted the file system. Deep Scan reconstructs data directly from the drive, even if file system records are damaged. While file names and folder structures may not always survive, this mode retrieves your data based on its structure in the file table), and Signature Scan (this mode useful when a virus has completely wiped out the file system. It identifies files based on their unique data patterns, or “signatures”). Disk Drill runs all these scans automatically, you won’t have to decide which mode to use.
  • It has great filtering and file preview tools to help you find exactly what you’re after without the need to recover everything or do a lot of guesswork.
  • Disk Drill offers a Basic version that you can download and use for free. It lets you scan your drive and see if your files are recoverable before you commit to anything. You can also recover up to 500 MB of files completely free, with no strings attached.
🔗

If you want to try other data recovery tools, check out our list of Disk Drill alternatives for more options tailored to different needs.

Scenario #2: How to Recover Files Deleted by a Virus on a Soft-Infected Computer

If your computer has been infected by a relatively benign virus, i.e. one that has not rendered your computer completely unusable, you can remove the virus and then perform data recovery. In this section, we’ll explore how to remove a virus from your computer and then get back these recently deleted files.

⚠️

If your computer gets infected, make sure to let your colleagues, friends, and family know. You wouldn’t want this malicious code to spread, so remind them not to open any suspicious links or attachments sent from your email or other messaging services. This helps keep everyone’s devices safe.

This is a 4-step process:

Step #1: Scan Your System With Windows Defender

Windows has an in-built antivirus program in place, called the Windows Defender. While it has real-time protection, it may not be able to detect all the threats that infect your computer in real-time. Thus, it’s recommended that you run a full system scan using Windows Defender.

Here is how you can do this:

  1. Press Windows Key + S, and type “virus and threat protection.”
  2. Click on the Virus & threat protection option from the search results.Virus and threat protection in Windows Search
  3. On the next window, click on Scan options under Current Threats.Scan options in Windows Defender.
  4. Now, select the Full Scan option and click on Scan now. Windows Defender will scan your entire PC for viruses. It may take a long time and your computer will sluggish while the scan is underway. It’s also advisable to perform a Microsoft Defender Offline scan in addition to the Full Scan.Full Scan option in Windows Defender.

Step #2: Scan Your System With 3rd Party Antivirus Software

While Windows Defender is quite capable on its own, it may not be able to detect all the threats on your PC. To be on the safer side, scan your computer with a good third-party antivirus solution too. You can use one of the many free third-party antivirus programs like Avast Antivirus, Malwarebytes, etc.

Check the developer’s website for details on how to perform a full antivirus scan using that particular program. The process may differ slightly across different software. Additionally, if your computer has been infected by ransomware, it’s recommended you check the website of antivirus programs for the latest version of ransomware decryptors.

👀

There’s one last thing that you should do before moving on to data recovery–check whether your files are deleted or simply hidden from your view. More on it in the next section.

Step #3: Try to Recover Hidden Files From Virus Infected USB/PC Using CMD

In many instances, the virus may not wipe out the information on your drive, but simply hide it from your view. The best way to tackle this is to recover malware-infected files using the CMD.

Don’t worry if you’re not acquainted with CMD, the instructions are simple enough for all users to follow:

  1. Type cmd in Windows Search (Windows Key + S). Right-click on Command Prompt > Run as administrator.
  2. In the CMD console, type cd\ and press Enter.The cd\ command in the Command Prompt console.
  3. Now, type the drive letter followed by a colon (:) from which you want to check for and unhide files. Press Enter. In our case, it’s a flash drive with the G: letter assigned to it.Drive letter in Windows Command Prompt.
  4. Type dir/ah in the console and press Enter. This will display all the hidden files and directories that CMD found in the selected drive. In our case, Command Prompt didn’t find any hidden files or directories, thus there is nothing listed. If CMD finds hidden files in your case, move on to the next step.List hidden files command (dir/ah) in the Command Prompt console.
  5. Lastly, to unhide all the discovered files, type attrib *. -h -s /s /d and press Enter. CMD will unhide them. Note that the Command Prompt may seem stuck during the process, but it’s not. Simply wait it out.The unhide command in Command Prompt.
👀

There’s also a simpler way to do this directly in File Explorer, but it might not be as effective, especially when malware is involved. If you want a quicker method, you can open the folder where the files are supposed to be, click on the “View” tab in File Explorer, and check the “Hidden items” box.

Step #4: Recover Missing Files with Data Recovery Software

In case you’re not able to find your files after performing all the steps in the sections above, you’ll have to scan the drive using data recovery software.

🔗

By the way, if you’ve set up backups using built-in Windows features like Backup & Restore or File History, you can use them to restore your virus-deleted files. If you need a refresher on how to do this, check out our Backup and Restore Features Guide for detailed instructions.

Scenario #3: How to Recover Data from a Hard-Infected PC

In the worst cases, a hard-infected PC may not boot properly due to severe virus damage, system corruption, or ransomware locking you out. When this happens, recovery becomes more complicated, but there are still options to try.

There are many bootable rescue media options available to help fix the problem and recover your data. You can use tools like Avast Rescue Disk, Kaspersky Rescue Disk, or Trend Micro Rescue Disk, which are designed to scan and remove security threats.

However, to use these tools, you need to create bootable media first, which requires a working computer. We will demonstrate how it can be done using Rescue Disk in Avast Antivirus.

How to Create a Rescue Disk to Scan a Virus-Infected Computer That Won’t Boot

To create a Rescue Disk on a blank USB drive or DVD, you’ll need:

  • A malware-free Windows PC with Avast Antivirus installed (if you don’t have it, download Avast Premium Security or Avast Free Antivirus).
  • A blank USB drive (2GB or higher) or a blank recordable DVD with a DVD-writer and burning software that can write from an ISO file.

How to create the Rescue Disk:

  1. Open Avast Antivirus and navigate to Protection > Virus Scans.
  2. Select the Rescue Disk tab.Select the Rescue Disk tab
  3. Tick Use UEFI boot file for modern PCs if your system uses UEFI. For older PCs using BIOS, untick this box. If you’re unsure whether your PC uses UEFI or BIOS, create both versions and try each until the system successfully boots.
  4. Insert the USB drive or DVD into your PC and click Create on USB (or Create on DVD).
  5. Select your USB drive or DVD in the dialog that appears and let the process complete.Select your USB drive

Once finished, click OK to confirm that the Rescue Disk is ready. Now, you need to boot your PC from Rescue Disk:

  1. Insert the USB drive with the Rescue Disk into your infected PC.
  2. Power on the PC and immediately press the key to enter the Boot Menu (typically Esc, F12, F11, or F8—refer to your PC’s documentation for the exact key).
  3. From the Boot Menu, select the USB device and follow the on-screen instructions to boot into the Rescue Disk environment.
  4. Once the Rescue Disk starts, you can begin scanning for malware. Click the AvastPE Antivirus tile on the main Rescue Disk menu.Click the AvastPE Antivirus
  5. If connected to the internet, click Update VPS to make sure the virus definitions are up to date.
  6. Select All hard disks to scan the entire system, or choose Selected folders/disks to scan specific areas. You can also tick Scan all archives to include compressed files.
  7. Click Next to begin the scan.

After the scan is complete, Rescue Disk will notify you of any found threats. You can select either:

  • Fix automatically: Avast will try to remove the malware while keeping the rest of the file intact. If it can’t repair a file, it will be deleted.
  • Fix manually: You can choose which files to delete or repair.

Once you’ve made your selection, click Finish, then choose File > Restart to reboot the PC. You can then remove the USB or DVD. Now, it’s the moment of truth: if your system boots up successfully, great! You can check if your files are still intact. If they’re not, you can use the method described in Scenario #1: How to Recover Files Deleted by a Virus on a Cleaned PC to try to retrieve them.

However, if your system is still down, you have two options to retrieve your files. You can try to connect your drive to a different computer to see if any files can be recovered. Or contact a professional data recovery service.

Option A: Scan the Drive on a Different Computer

Sometimes, viruses cause serious damage, corrupting or deleting important system files, or even formatting your system drive. In these cases, you can try to connect the affected drive to a working computer. You can often remove internal drives and connect them as external drives using an external drive enclosure or a USB-to-SATA adapter.

⚠️

The first thing to do when you connect the affected drive to a working computer is run a full virus scan. You don’t want to risk letting any malware on the drive infect another system, to get stuck with two damaged computers instead of one. Always start with a thorough scan as describes in Scenario #2: How to Recover Files Deleted by a Virus on a Soft-Infected Computer.

How to connect an affected drive to a working computer:

  1. Turn off your computer.
  2. For desktops, open the case and carefully disconnect the drive. For laptops, follow the manual to remove the drive.
  3. Place the affected drive in an external enclosure or connect it using a USB-to-SATA adapter. These devices allow you to connect the internal drive as if it were an external drive.
  4. Plug the enclosure or adapter into a USB port on the working computer.
  5. The affected drive should appear as a new external storage device.
  6. Before accessing any files, run a full virus scan.

You can transfer all the existing data you want using the good ol’ copy-paste method. Just select the files you need, copy them, and paste them onto the working computer or another storage device.

If some files were deleted or the drive was formatted use data recovery software to recover lost files from a system infected by a virus.

Option B: Use Professional Recovery Services

If all this DIY data recovery feels like too much, you can always turn to the professionals. We have a list of some of the best recovery services available. You can either find one near you or ship your drive to them for recovery. However, keep in mind that professional services are usually not cheap, and it’s definitely more affordable to try DIY recovery first. But, of course, the choice is yours. If you prefer to leave it to the experts, they can often recover data that’s difficult to retrieve on your own.

What Types of Viruses Are There?

There are several types of computer viruses that affect your PC and your data in different ways. Some viruses may not even impact your data at all. It’s important to know and differentiate between computer viruses.

The terms ‘virus’ and ‘malware’ are often substituted for each other, but they are quite different. A virus is a specific type of malware that usually self-replicates and performs the malicious actions it was programmed to do. There are different types of viruses, defined by how they infect the host and what they do:

  • Polymorphic Virus: A difficult-to-detect virus that slightly changes or morphs its code after each infection. Polymorphic Viruses use complex mutation engines to constantly modify their code, encrypt it, and constantly change the encryption key. This is what makes these viruses so tough to detect.
  • Macro Virus: Embedded into the macro-instructions of programs such as Excel or Word, Macro Viruses used to be the dominant form of computer viruses, until Microsoft disabled macros by default in MS Office 2000. The damage that a macro virus can do ranges from modifying the infected documents to accessing your email and sending out infected copies of the documents to all your contacts.
  • Browser Hijacker: Browser hijacker viruses essentially modify your browser’s settings without your permission. They can redirect your searches to another website, install toolbars without your permission, and display multiple advertisement pop-ups.
  • Resident Virus: A resident virus will attach itself to the computer’s memory, allowing it to damage and infect all applications that are run by the computer. There are two primary subtypes of resident viruses–fast infectors and slow infectors. The former does a lot of damage quickly, and thus, is relatively easier to detect. The latter slowly infects and damages your programs to the point of being barely noticeable.
  • File Infector Virus: File infector viruses typically infect the executable (.exe) files. As soon as the infected file is executed, the virus may overwrite the original file and spread it to other applications on the host computer. File infecting viruses can make your computer unusable and spread really quickly. In some cases, they can be self-executable too.
  • Boot Sector Virus: A boot sector virus infects the master boot record (MBR) or the boot partition of a computer’s hard disk drive. After infection, the malware executes as soon as you boot your PC before security measures can be loaded.
  • Spacefiller Virus: Also referred to as cavity viruses, spacefiller viruses occupy the empty space packets in a file, and therefore the infected file’s size remains the same. This also makes them very difficult to detect and remove.
  • Web Scripting Virus: A web scripting virus infects your computer by exploiting the vulnerabilities in your web browser. Once it infects your PC, a web scripting virus can self-replicate, steal your browser cookies, and steal other personal information.
  • Virus That Deletes Files When Clicking on Them: Some viruses are more destructive in nature. For instance, a virus that deletes files when you click on them can cause immediate deletion of important files as soon as you interact with them.
⚠️

Beyond viruses, there are various other types of malware, based on how they execute and infect your PC. Here is a table that explains common types of malware and what they do:

Types of Malware

What It Does

Ransomware

It blocks a victim’s device and demands a ransom to regain access.

Worms malware

It can replicate itself without human interaction and spread through a network.

Trojans malware

It can disguise itself as a genuine file or software.

Fileless Malware

It uses existing software or applications on your computer to run malicious actions.

Wiper Malware

The purpose of this virus is to erase all data without the possibility to restore it.

Spyware

It collects and steals a victim’s data without his knowledge.

Keyloggers

It tracks and records all the input information from the victim’s keyboard.

Rootkits

It grants remote access to a victim’s device without his knowledge.

Adware

This is a type of malware that uses pop-ups and banners to get the victim to share data or install malware.

Bots or botnets

They are used for massive attacks to gain data, remote access, or traffic overload.

FAQ

How can I recover my deleted photos from the virus?

If a virus has deleted your photos, start with a full virus scan with antivirus software to remove the virus. If the photos aren’t in the Recycle Bin, use data recovery software like Disk Drill or Recuva to scan your drive for recoverable files. If you have a backup, you can restore the photos from there.

How to recover deleted files after a virus scan?

The best lesson you can take away from a virus attack is to learn how to prevent it in the future. With the help of a few basic steps, you can protect your data and your computer from any sort of virus attack. Here are some tips to follow:

  • ✅ Keep your OS and antivirus updated.
  • 💪 Use strong passwords on all your web accounts.
  • 💽 Regularly back up your data.
  • ❌ Avoid pirating software, video games, music, and movies.
  • 🖥️ Perform regular full scans of your PC.
  • 🧱 Use a firewall and never open random links sent via emails.

How to prevent a virus from deleting files on my computer in the future?

To recover files deleted after a virus scan, you can open the quarantine folder within the antivirus software. Here are some guides on how to recover deleted files after a virus scan by popular antivirus software such as Norton Antivirus, Windows Defender, and Avast Antivirus.

If you cannot locate the files there, you’ll need to use Disk Drill or other data recovery programs to get back your data.

How to recover virus-infected files using CMD?

You can recover virus-infected files using CMD in scenarios where the virus has simply made your files hidden. Here’s how:

  1. Launch CMD as administrator.
  2. Type cd\ and press Enter.
  3. Now type the relevant drive letter followed by a colon (:). Example: G:.
  4. Type dir/ah and press Enter.
  5. Enter attrib *. -h -s /s /d and press the Enter key. CMD will restore the hidden files.

If you can’t see your files, it’s possible the virus deleted them. In this case, you can use data recovery software to try to retrieve them.

How to recover ransomware-infected files?

To recover ransomware-infected data, use the latest ransomware decryptor from popular antivirus programs’ websites. If that’s not possible, contact a data recovery service to get back your data for you.

How to recover files hidden by trojan virus?

To recover files hidden by a Trojan virus, start with a full system scan with reliable antivirus software. These programs can detect and remove the Trojan, which may restore access to your hidden files. After removing the virus, check for any files that were marked as hidden and attempt to unhide them manually.

If the files are still inaccessible, use data recovery software like Disk Drill, or Recuva to scan your drive for lost or hidden files.

How to remove a zero KB virus?

To remove a zero KB virus, it’s recommended to scan your system with a reliable antivirus like Bitdefender, Norton, Kaspersky, Avira, or Avast. These programs should automatically detect and remove the virus-infected files or quarantine them, so they won’t pose a threat to your system.

How to fix files that are infected with a virus?

To repair virus-infected files, start with a full virus scan with reliable antivirus software. It will detect and remove the malware, which may restore the affected files. If the files still aren’t working right after the virus is removed, you can try to restore them from a backup if you have one.

If you don’t have a backup, you can try dedicated file repair software to fix damaged files. For example, if the file is an archive, you can try WinRAR’s Repair Archive tool. It can often fix minor corruption in compressed files and help you recover the data.

Can I recover files corrupted by the virus online?

There is no online service specifically designed to fix virus-corrupted files, but you can try online services that focus on fixing specific file types. For example, if a video file was deleted by the virus and you used data recovery software to retrieve it but it won’t play, you can use services like Clever Online Video Repair to attempt repairs.

Is it safe to copy files from a virus-infected computer?

It’s not safe to copy info from a virus-infected computer since the virus could spread to the other computer too. First, remove the virus, then copy the information to another computer.

About article

This article was written by Manuviraj Godara, a Staff Writer at Handy Recovery Advisor. It was recently updated by Roman Demian. It was also verified for technical accuracy by Andrey Vasilyev, our editorial advisor.

Curious about our content creation process? Take a look at our Editor Guidelines.

How do you rate the article? Submitted:
Current article rate: 5 1 vote