How to Recover Data From a Virus-infected Computer (All 3 Scenarios)

Have viruses deleted important files from your computer? Or has a sudden infection left your photos, documents, or entire OS inaccessible? This is a problem many people have dealt with since at least 1986, when the first computer virus appeared. Thankfully, it’s often a problem that can be resolved. Our team put together this guide, which has already helped many people, and it might help you too. Stick with us, and you’ll learn how to recover data from a virus-infected computer and keep your system safe moving forward.

Quick Guide to Virus Attack Recovery

Over the years, we’ve tried countless methods to recover files after a virus attack. To make things simpler, we’ll present three scenarios based on how severe the infection is and what’s happening with your data.

Scenario #1: How to Recover Files Deleted by a Virus on a Cleaned PC

The first and easiest situation to deal with is when all you need is to recover files deleted by a virus, after you’ve already removed it and your system is in good shape and virus-free.

Data recovery software is your best option (if you don’t have backups) to recover deleted documents, archives, images, videos, and more after a virus attack.

Over the years, we’ve tested and reviewed plenty of tools. For this article, we chose Disk Drill for the demonstration. We’ll explain exactly why it’s our top choice at the end, but first, let’s get into how to recover data deleted by a virus using Disk Drill:

1. Download Disk Drill and install the program. If possible, always install recovery tools on a drive different from the one you’re recovering files from to avoid overwriting the deleted data.
2. Open Disk Drill and select the partition or drive that contained the files deleted by the virus. Click on Search for lost data to begin the data recovery scan.
3. You can click Review found items to view the recoverable files in real-time, or wait for the scan to complete. You can directly click on the file type on this screen to directly view recoverable videos, music, documents, archives, and images.
4. Disk Drill organizes recoverable files into subcategories like Deleted or Lost (recently deleted files with names and structures intact), Existing (files still on the drive), and Reconstructed (files rebuilt from data fragments without original names or folders).
5. Use the filtering tools to sort files by type, size, or modification date to narrow down the results. You can also use the search bar at the top-right corner of the window to filter out files even further (type a file name, part of a name, or a specific extension).
6. Select the files you want to recover. Remember, you can either click on the eye icon or simply double-click the file to see a preview of almost any file type such as JPG, TXT, and others that your system or third-party apps on your system can view.
   🗨️

   Look at a Recovery Chances column for each file, which indicates how likely it is to recover the file fully intact. Also, if you can preview the file, it means the file is definitely recoverable.

7. After selection, click on Recover.
8. Choose a recovery destination for the files. Select a drive/partition different from the one you’re recovering files from, if possible.
9. Disk Drill will recover the files to the selected location.

Disk Drill is a highly capable data recovery tool that can handle all kinds of virus-related data loss scenarios. Whether the issue involves simple deletions or more severe cases, like when a virus compromises the file system or formats your drive. In many cases, you can recover files from “quick” formatted storage, unlike “full” formats that erase data completely.

And now, as promised, here’s what makes Disk Drill perfect for data recovery, especially in scenarios where a virus has deleted your files:

• It works with all kinds of storage devices, including internal system drives, external hard drives, SSDs, USB flash drives, and memory cards. Be prepared that data recovery from an internal/system SSD is often impossible due to the TRIM feature, which automatically completely erases deleted data to maintain the drive’s performance.
• Supports all the commonly used file systems, such as NTFS, FAT32, exFAT, and more. NTFS should be of particular interest since, if the virus affected your system drive (and not an external device), it’s most likely formatted with NTFS.
• Most likely, since your PC is clean, Disk Drill will scan for recently deleted files, which is the easiest case for this kind of tool. However, keep in mind that there are different virus-related file loss scenarios, and this app offers various scanning modes to handle them: Quick Scan (perfect for recovering files that were recently deleted by a virus), Deep Scan (for situations where a virus reformatted your drive or corrupted the file system. Deep Scan reconstructs data directly from the drive, even if file system records are damaged. While file names and folder structures may not always survive, this mode retrieves your data based on its structure in the file table), and Signature Scan (this mode useful when a virus has completely wiped out the file system. It identifies files based on their unique data patterns, or “signatures”). Disk Drill runs all these scans automatically, you won’t have to decide which mode to use.
• It has great filtering and file preview tools to help you find exactly what you’re after without the need to recover everything or do a lot of guesswork.
• Disk Drill offers a Basic version that you can download and use for free. It lets you scan your drive and see if your files are recoverable before you commit to anything. You can also recover up to 500 MB of files completely free, with no strings attached.

Scenario #2: How to Recover Files Deleted by a Virus on a Soft-Infected Computer

If your computer has been infected by a relatively benign virus, i.e. one that has not rendered your computer completely unusable, you can remove the virus and then perform data recovery. In this section, we’ll explore how to remove a virus from your computer and then get back these recently deleted files.

This is a 4-step process:

Step #1: Scan Your System With Windows Defender

Windows has an in-built antivirus program in place, called the Windows Defender. While it has real-time protection, it may not be able to detect all the threats that infect your computer in real-time. Thus, it’s recommended that you run a full system scan using Windows Defender.

Here is how you can do this:

1. Press Windows Key + S, and type “virus and threat protection.”
2. Click on the Virus & threat protection option from the search results.
3. On the next window, click on Scan options under Current Threats.
4. Now, select the Full Scan option and click on Scan now. Windows Defender will scan your entire PC for viruses. It may take a long time and your computer will sluggish while the scan is underway. It’s also advisable to perform a Microsoft Defender Offline scan in addition to the Full Scan.

Step #2: Scan Your System With 3rd Party Antivirus Software

While Windows Defender is quite capable on its own, it may not be able to detect all the threats on your PC. To be on the safer side, scan your computer with a good third-party antivirus solution too. You can use one of the many free third-party antivirus programs like Avast Antivirus, Malwarebytes, etc.

Check the developer’s website for details on how to perform a full antivirus scan using that particular program. The process may differ slightly across different software. Additionally, if your computer has been infected by ransomware, it’s recommended you check the website of antivirus programs for the latest version of ransomware decryptors.

Step #3: Try to Recover Hidden Files From Virus Infected USB/PC Using CMD

In many instances, the virus may not wipe out the information on your drive, but simply hide it from your view. The best way to tackle this is to recover malware-infected files using the CMD.

Don’t worry if you’re not acquainted with CMD, the instructions are simple enough for all users to follow:

1. Type cmd in Windows Search (Windows Key + S). Right-click on Command Prompt > Run as administrator.
2. In the CMD console, type cd\ and press Enter.
3. Now, type the drive letter followed by a colon (:) from which you want to check for and unhide files. Press Enter. In our case, it’s a flash drive with the G: letter assigned to it.
4. Type dir/ah in the console and press Enter. This will display all the hidden files and directories that CMD found in the selected drive. In our case, Command Prompt didn’t find any hidden files or directories, thus there is nothing listed. If CMD finds hidden files in your case, move on to the next step.
5. Lastly, to unhide all the discovered files, type attrib *. -h -s /s /d and press Enter. CMD will unhide them. Note that the Command Prompt may seem stuck during the process, but it’s not. Simply wait it out.

Step #4: Recover Missing Files with Data Recovery Software

In case you’re not able to find your files after performing all the steps in the sections above, you’ll have to scan the drive using data recovery software.

Scenario #3: How to Recover Data from a Hard-Infected PC

In the worst cases, a hard-infected PC may not boot properly due to severe virus damage, system corruption, or ransomware locking you out. When this happens, recovery becomes more complicated, but there are still options to try.

There are many bootable rescue media options available to help fix the problem and recover your data. You can use tools like Avast Rescue Disk, Kaspersky Rescue Disk, or Trend Micro Rescue Disk, which are designed to scan and remove security threats.

However, to use these tools, you need to create bootable media first, which requires a working computer. We will demonstrate how it can be done using Rescue Disk in Avast Antivirus.

How to Create a Rescue Disk to Scan a Virus-Infected Computer That Won’t Boot

To create a Rescue Disk on a blank USB drive or DVD, you’ll need:

• A malware-free Windows PC with Avast Antivirus installed (if you don’t have it, download Avast Premium Security or Avast Free Antivirus).
• A blank USB drive (2GB or higher) or a blank recordable DVD with a DVD-writer and burning software that can write from an ISO file.

How to create the Rescue Disk:

1. Open Avast Antivirus and navigate to Protection > Virus Scans.
2. Select the Rescue Disk tab.
3. Tick Use UEFI boot file for modern PCs if your system uses UEFI. For older PCs using BIOS, untick this box. If you’re unsure whether your PC uses UEFI or BIOS, create both versions and try each until the system successfully boots.
4. Insert the USB drive or DVD into your PC and click Create on USB (or Create on DVD).
5. Select your USB drive or DVD in the dialog that appears and let the process complete.

Once finished, click OK to confirm that the Rescue Disk is ready. Now, you need to boot your PC from Rescue Disk:

1. Insert the USB drive with the Rescue Disk into your infected PC.
2. Power on the PC and immediately press the key to enter the Boot Menu (typically Esc, F12, F11, or F8—refer to your PC’s documentation for the exact key).
3. From the Boot Menu, select the USB device and follow the on-screen instructions to boot into the Rescue Disk environment.
4. Once the Rescue Disk starts, you can begin scanning for malware. Click the AvastPE Antivirus tile on the main Rescue Disk menu.
5. If connected to the internet, click Update VPS to make sure the virus definitions are up to date.
6. Select All hard disks to scan the entire system, or choose Selected folders/disks to scan specific areas. You can also tick Scan all archives to include compressed files.
7. Click Next to begin the scan.

After the scan is complete, Rescue Disk will notify you of any found threats. You can select either:

• Fix automatically: Avast will try to remove the malware while keeping the rest of the file intact. If it can’t repair a file, it will be deleted.
• Fix manually: You can choose which files to delete or repair.

Once you’ve made your selection, click Finish, then choose File > Restart to reboot the PC. You can then remove the USB or DVD. Now, it’s the moment of truth: if your system boots up successfully, great! You can check if your files are still intact. If they’re not, you can use the method described in Scenario #1: How to Recover Files Deleted by a Virus on a Cleaned PC to try to retrieve them.

However, if your system is still down, you have two options to retrieve your files. You can try to connect your drive to a different computer to see if any files can be recovered. Or contact a professional data recovery service.

Option A: Scan the Drive on a Different Computer

Sometimes, viruses cause serious damage, corrupting or deleting important system files, or even formatting your system drive. In these cases, you can try to connect the affected drive to a working computer. You can often remove internal drives and connect them as external drives using an external drive enclosure or a USB-to-SATA adapter.

How to connect an affected drive to a working computer:

1. Turn off your computer.
2. For desktops, open the case and carefully disconnect the drive. For laptops, follow the manual to remove the drive.
3. Place the affected drive in an external enclosure or connect it using a USB-to-SATA adapter. These devices allow you to connect the internal drive as if it were an external drive.
4. Plug the enclosure or adapter into a USB port on the working computer.
5. The affected drive should appear as a new external storage device.
6. Before accessing any files, run a full virus scan.

You can transfer all the existing data you want using the good ol’ copy-paste method. Just select the files you need, copy them, and paste them onto the working computer or another storage device.

If some files were deleted or the drive was formatted use data recovery software to recover lost files from a system infected by a virus.

Option B: Use Professional Recovery Services

If all this DIY data recovery feels like too much, you can always turn to the professionals. We have a list of some of the best recovery services available. You can either find one near you or ship your drive to them for recovery. However, keep in mind that professional services are usually not cheap, and it’s definitely more affordable to try DIY recovery first. But, of course, the choice is yours. If you prefer to leave it to the experts, they can often recover data that’s difficult to retrieve on your own.

What Types of Viruses Are There?

There are several types of computer viruses that affect your PC and your data in different ways. Some viruses may not even impact your data at all. It’s important to know and differentiate between computer viruses.

The terms ‘virus’ and ‘malware’ are often substituted for each other, but they are quite different. A virus is a specific type of malware that usually self-replicates and performs the malicious actions it was programmed to do. There are different types of viruses, defined by how they infect the host and what they do:

• Polymorphic Virus: A difficult-to-detect virus that slightly changes or morphs its code after each infection. Polymorphic Viruses use complex mutation engines to constantly modify their code, encrypt it, and constantly change the encryption key. This is what makes these viruses so tough to detect.
• Macro Virus: Embedded into the macro-instructions of programs such as Excel or Word, Macro Viruses used to be the dominant form of computer viruses, until Microsoft disabled macros by default in MS Office 2000. The damage that a macro virus can do ranges from modifying the infected documents to accessing your email and sending out infected copies of the documents to all your contacts.
• Browser Hijacker: Browser hijacker viruses essentially modify your browser’s settings without your permission. They can redirect your searches to another website, install toolbars without your permission, and display multiple advertisement pop-ups.
• Resident Virus: A resident virus will attach itself to the computer’s memory, allowing it to damage and infect all applications that are run by the computer. There are two primary subtypes of resident viruses–fast infectors and slow infectors. The former does a lot of damage quickly, and thus, is relatively easier to detect. The latter slowly infects and damages your programs to the point of being barely noticeable.
• File Infector Virus: File infector viruses typically infect the executable (.exe) files. As soon as the infected file is executed, the virus may overwrite the original file and spread it to other applications on the host computer. File infecting viruses can make your computer unusable and spread really quickly. In some cases, they can be self-executable too.
• Boot Sector Virus: A boot sector virus infects the master boot record (MBR) or the boot partition of a computer’s hard disk drive. After infection, the malware executes as soon as you boot your PC before security measures can be loaded.
• Spacefiller Virus: Also referred to as cavity viruses, spacefiller viruses occupy the empty space packets in a file, and therefore the infected file’s size remains the same. This also makes them very difficult to detect and remove.
• Web Scripting Virus: A web scripting virus infects your computer by exploiting the vulnerabilities in your web browser. Once it infects your PC, a web scripting virus can self-replicate, steal your browser cookies, and steal other personal information.
• Virus That Deletes Files When Clicking on Them: Some viruses are more destructive in nature. For instance, a virus that deletes files when you click on them can cause immediate deletion of important files as soon as you interact with them.

FAQ