Using command prompt "attrib" to check for Viruses or Malware
Microsoft Command Prompt "attrib" is a very useful tool to check if your hard drives even your flashdisks have been infected by a virus.
You will know if a Malware is inside your hard drive just by looking at the attributes of each files and the file that has the attributes of +s +h +r
The function of attrib is to set and remove file attributes (read-only, archive, system and hidden).
Launch attrib
To start attrib
- Go to Start Menu > Run
- Type cmd (cmd stands for command prompt)
- Press Enter key
The Command Prompt will appear showing us where is our location in the directory.
Using attrib
To use attrib
- Go to the root directory first by typing cd\(because this is always the target of Malware / Virus)
2. Type attrib and press Enter key
In this example, I have two files that are considered as malware.
Note that there are two files which I outlined in red (SilentSoftech.exe and autorun.inf). Since you cannot see this file nor delete it (because the attributes that was set on these files are +s +h +r)
- +s - meaning it is a system file (which also means that you cannot delete it just by using the delete command)
- +h - means it is hidden (so you cannot delete it)
- +r - means it is a read only file ( which also means that you cannot delete it just by using the delete command)
Now we need to set the attributes of autorun.inf to -s -h -r (so that we can manually delete it)
- Type attrib -s -h -r autorun.inf ( be sure to include -s -h -r because you cannot change the attributes using only -s or -h or -r alone)
- Type attrib again to check if your changes have been commited
- If the autorun.inf file has no more attributes, you can now delete it by typing del autorun.inf
- Since SilentSoftech.exe is a malware you can remove its attributes by doing step 1 and step 3(just change the filename) ex. attrib -s -h -r silentsoftech.exe
There you have it!!!!
NOTE : when autorun.inf keeps coming back even if you already deleted it, be sure to check your Task Manager by pressing CTRL + ALT + DELETE ( a virus is still running as a process thats why you cannot delete it. KILL the process first by selecting it and clicking End Process.
NOTE: You can also apply the attrib -s -h -r command to all the partition of your computer, drive D: drive E: drive F: (all of your drives). For example. for drive D, just type "D:" (minus the double quote) then you can see that your current drive is D.. type there the command "attrib -s -h -r *.exe" for exe files and "attrib -s -h -r *.inf" and then delete the file by "del autorun.inf".
Hope this helps!!!!! :) Jah bles!
NOTE: If you want to have a more detailed information regarding How to delete a virus visit my other hub.. HOW TO DELETE A VIRUS IN YOUR USB/FLASHDISK
This Hub was last updated on July 18, 2011
Microsoft Innovation with Microsoft Surface codename...
How to Delete a Virus in your USB drive or Flashdisk
How to remove a short cut virus from your Flash drive or your Drive
Ten Best Windows 7 Combination Keyboard Shortcuts to get you started
What Are Junk Files and Why You Should Delete Them
Know Your Coumputer Uptime: How Do You Know Your Computer Uptime?
Simple Steps to Convert a Flash Drive into Bootable
how to remove tavo kavo and ckvo virus
Windows scheduler using Command Prompt
How to Reset the TCP in Windows XP Vista and Windows 7Follow (5)Comments 185 comments
thanks man.. this solved my problem.. :)
this solves my problem but still there is one thing i don't get, how would i know if a attribute is a malware or trojans?
you can check if a file is an OS file or not but googling it... but usually virus has awkward names... :)
how would you know if a file shown is infected?
Thanks so much! (:
thanks dude
thanks:
Thnks!
Carried out all the steps as instructed but after the delete step the prompt page said autorun.inf file could not be found although it was still clearly there and once I typed in attrib the autorun file was back with the SHR attributes. This also happened with another virus/malware m1eqos3.exe which also didnt delete. Please help
@gaz: there is possible a running malware on your computer that is why when you change or delete the autorun, it will again be restored...
NOTE : when autorun.inf keeps coming back even if you already deleted it, be sure to check your Task Manager by pressing CTRL + ALT + DELETE ( a virus is still running as a process thats why you cannot delete it. KILL the process first by selecting it and clicking End Process.
sir!! i still have my mp4 always formatiing by itself and i always lose my important pics. pls help me
it does not remove any viruses
this is one of some silly methods.
how would i know what is the virus?
Thanks!
Thanks
@robert: try to scan your mp4 using kaspersky (update it first)
@hitesh: read the TITLE! it doesn't says remove virus --- we're just checking for it.. and maybe applying some first aid if we can..
@pshh: usually a virus has silly names.. but if you're unsure just google the filename...
@sheryl and silambu: np.. hoe it helps!
it 's ok ,
after typing del autorun.inf it is saying it is used by some other process,so can't be deleted
Hi isyan,
I am having an issue with Explorer setting all of my folders to Read Only. I try to remove the check and Apply but it comes back.
Will the attrib cmd help?
Vista 64
question:
Does this also make the folder options to come back to its original settings? which means when u have already deleted the virus, can you now access folder options?
Thanx, it works. Those complaining shuld follow tha process carefully.
thank you so much i learned a lot from that.....
Yes This informaation is very useful to me.
And by this way we can create undetected virus.
If anybody want more information contact me at beautypeacock@gmail.com
this gives very usefull ideas thanks alot
very good!
very helpful
good simple to do
i found 3 with SHR
bootmgr
io sys
ms dos
i see io sys and ms dos in yours too but you did not circle it in red, therefore i believe that this these two arent virus/malware/trojan
but what about bootmgr?
It realy Work! It solved My problem.
Thanks!
salamat sa information heehehe tanks karajaw gajud
this method..is very good....thanxxxxx
yAh dat was great i think i can now delete virus easily.. thanks for posting duds
perfect!
tyvm from PORTUGAL !
tiagosousa999@hotmail.com
Hey i am clean...No virus found..THANKS :D
hi.. i want to follow ur instructions but... wen i type the cmd and press the enter key... my computer shut downed...
is there any other way to removed the virus in comp? please help...
how do u delete it
i need the steps!!
thnks a lot.. i hope i dont see the viruses again..
u explained it v. well..
i have got two virus programms in my usb and i can see them using attrib. but i am unable to change their attribute and i get a message "Not resettig hidden file lemisha.exe"
and "Not resetting hidden file deutrovioce.exe"
any suggestions please?
@hammad ansaru: pls read the last part where you have to disable a malicious process running in your computer
@mayuri: thanks and i hope it helped you
@sahan:pls read and understand the instructions carefully because deleting it is included in my post.. :)
thank you!!! it works...
It worked! Now, my laptop is working just fine. I'll try to delete other viruses of my other accounts. Thanks for the info!
thank you so much!
sir how to delete an RVHOST.exe in command prompt?im recently using win7..the system doesn't start..so im using safe mode with command prompt trying to delete the virus..please help me thanks..
this command "attrib" is very usseful and I tried it a few times but there's one thing that I'm not sure about. I restored one virus detected by AVG Int. Sec 9 and than command "attrib" couldn't find it on my system. Why and how to do that? Virus was smth. like Trojan horse Generic...thx
i typed it in and it comes up with 'A SH'
O_O
what does that mean?
can anyone help me please D:
Guess what i just love all the usefull help i get from here am In the MIS dept. but am always going to use this site.Thanx guy we learn alot
hello dude,
in your example u stated that "Malware is inside your hard drive just by looking at the attributes of each files and the file that has the attributes of +s +h +r".
But at the end you find that only this two files infected although other file also show SHR (in the command prompt). SilentSoftech.exe and autorun.inf
example : del d:\ autorun.inf
T.T my PC has just been attacked by a virus..
first it disabled me task manager then my anti-virus.. I've
already tried finding it by using command prompt but won't
work!...not it's starting to delete my files!..and infected
my 8 GB flash drive!..my gosh..really hate that virus! so
annoying! (cry mode!) gonna reformat my PC..bye bye files! >:/
bro can u help to how u can hide and show the files or maybe using a usb flash drive ,. because i have a usb flash drive but i cannot see my folder or files because they are hiding ,.please can u help me about that to recover again it., using you cmd ,command prompt . thanks!! God Bless you ................
To remove the .exe file in the computer,
First remove first the autorun.inf and then delete the .exe file!
XD!
there is a very typical virusin my lappie which can never be deleted..it keeps on coming back even if it is deleted..and whenever i tried to open my command prompt, it dissapears this virus has affected my pendrive too....please help in this matter..
Sir . . I had this virus that cannot be deleted due to it was been said that "Its been used by another program"? can u plss recommend me a good solution . . tnx more powers . .
..sir is it a sign f that there's a virus f may hard drive is loosing sO memory.? but.. i made to use some of u're steps but i didn;t see any infection/virus..
thanks man!!!
it really works
If you simply read and comprehend the instructions you will clearly see the value of this article. If you are a flippin bonehead and cannot understand the printed words you should prolly not be using computers.
thanks guy, you solved my problem.
thanks man i try it and it works.cool.post more and i'll try it again.
thanx man, you filipino are awesome. it makes my computer faster now.. cheers
thanks
are u sure it remove only the vires it is posible.......not the file of windows os....
@laxmi: it is possible that you can delete the os files.. my advice is you google first the suspected file then delete it if its a virus..
THIS IS VERY GOOD COMMAND THANKS!
WOW ITS GREAT
THANX DUDE
very good yar this works
not working,,, drive c has no virus,,, what should i do for the drive d? thers possible way to delet virus from drive d by using cmd?
this idea is working,i know about it before the thing i am searching for is ,how to totlly recover an deleated data piece using CMD codes
@jamal: you can apply the command on drive d...and yes.. its possible to delete a virus by using cmd...
@pranav: there is no cmd command that can recover a deleted data..none that I know of.. :) you must use 3rd party apps for that.. try googling for it.. :)
great!! i made it!!
@mark jordan dalayap: Congrats.. glad it helped alot of people.. :)
really bro this one article is knowledgeable..............
Thank you for putting such a nice article.
hey this is great article . when is your next article coming?
thanks!!! it work it didnt work to others becos they r idot
1. first type attrib then enter
when u see .exe it means it is a malware or a virus for example the virus is axbcneag.exe
type del axbcneag.exe
then type again the attrib
then when u didnt see it, it is been remove
good
Hi Thanks.
Understood about the basics of attributes.
its says access denied when I typed attrib -s -h -r autorun.inf
when i typed del autorun.inf, it says could not find autorun.inf
How is that
wooooooooooo its done
thanx mate..it did work :)
@muddassar: try to apply the steps in this post.. and then delete it.. if it's more complicated, Visit my other hub, it has more detailed info in deleting virus..
@Bray: check the process manager, maybe the autorun.inf process is still running.. kill the process then you can change the attribute, then delete it..
i have found the yeawl.exe virus on my laptop, i have typed in attrib -s-h-r yeawl.exe then del yeawl.exe, but it says another process is using it, but i cannot find the process, is there a way to spot the difference to find the process
ive removed the attributes and i cant even delete in safe mode, i have to kill this process but i cannot find it
@smitty232
you may try creating another admin account and delete the file located in your current account from that new account. You should apply the procedures written above.
i am getting problem in removing the "recycler" which is located in c: drive...
i hv tried it removing it while it is located in any other drive it is getting removed but it is not working for removing in c: drive...pls suggest a solution for it
thanx man ur awesome..............
@prabhat: the recycler in drive c is not a virus..
@smitty232: try looking for autrun.inf process... it should be there somewhere... :)
It worked man. Thanx a lot :^,
hey isyan, i have a problem.i got a virus from my internet and due to it i can not open task manager and registry editor.What to do?Do you have any suggestions?
@jufei
if you already had clear/clean ur USB for viruses, you can use attrib, type attrib -s -h -r *.* /s at the root directory of your USB, if you want to see those hidden folder, type DIR /AH, u can also use attrib on the folder that have been hidden by the virus
or
u can set ur windows explorer to view those hidden folders & files by doing this
1.open windows explorer
2.click tools, then folder options, then views, then tick "show hidden files and folders"
@aayush
try gpedit.msc, type it on the run (press window & r on your keyboard)
for TASK MANAGER:
1.click Administrative Templates under the User Configuration
2.then click System,
3.then click Ctrl+Alt+Del Options,
4.then 2click Remove Task Manager, tick Enable, then apply
5.then tick Not Configured, then click Ok,
6.then close/exit the Group Policy
FOR REGEDIT
1.do 1 and 2 step(up)
2.then 2click Prevent access to Registry editing tools
3.do 4 to 6 step(up)
after that try to press CTRL+ALt+Del for you Task Manager
if this not come out you still have virus running on your system
hope that helps
Thankz ppl,your atriclez has helpedz me alotz:) keepz up the good workz...really appreciatez itz:)
Thanks ISYAN it works.....GOD BLESS
-- helo. im so much thank ful with u. i finally deleted the viruses in my pc.... thank u.
sir, i tried to delete autorun.inf but it will only display "Could Not Find autorun.inf"..
why does the autorun.inf in my USB flash drive keeps on coming back.....
thanks it helps but one file with SHR cant delete, the "bootmgr", no file extension.when i try the attrib -s -h -r bootmgr it says "access denied"...wat happened,how to fix this?thanks much
@oxford, that means theres no virus in your system.
Very helpful, thank you.
i,have problem that copmuter is not showing all data of usb.the virus effect data is hidden it is not show.how to open this hidden virus effectd data from usb b/c it is important data.kindly guide me the dos command steps through we can recover my impt data. thanks
@sahar to view ur files do the follwing...
goto FOLDER AND SEARCH OPTIONS > VIEW >disable HIDE PROTECTED OPERATING SYSTEM option > apply changes....
ur files will be displayed in ur usb..
Wow, thanks msm, run correctly, you're 10
hey ..thanks it really works
thanks
@walter: use google...
@santosh: dont type "cmd attrib".. pls follow step 1.. Launch attrib...
$recycle.bin is a virus.. I used it as an example... Attrib function will not delete a file, it will just set the attributes of a file... In this article I set the attributes of autorun.inf and silentsoftech.exe so that I can delete them using the del function..
Thanks a lot..
nice article..
first must show all hidden files
and then follow
start cmd
select the letter of the drive (e.g: G:\)
G:\attrib -h -s -r /s *.* /d
hi its been very nic and effectively me to delete virus in my hard drive thankx a lot you are my god ......
pinoy knaman cguro
mgtatagalog nlang ako pnu ba i delete ung my spacing na virus halimbawa new folder.exe kasi pgtype ko ng del new folder.exe sinasabi could n ot find d:\ new..pnu ba yon kapatid..salamat
just use TAB..
ex. type del new (then press TAB.. it will autocomplete the filename)..
haha.. your welcome.. Jesus is Lord
isyan 4 years ago Hub Author
silentsoftech.exe is a virus.. I used it as an example... Attrib function will not delete a file, it will just set the attributes of a file... In this article I set the attributes of autorun.inf and silentsoftech.exe so that I can delete them using the del function..