Updated date:

Using command prompt "attrib" to check for Viruses or Malware

Author:

Microsoft Command Prompt "attrib" is a very useful tool to check if your hard drives even your flashdisks have been infected by a virus.

You will know if a Malware is inside your hard drive just by looking at the attributes of each files and the file that has the attributes of +s +h +r

The function of attrib is to set and remove file attributes (read-only, archive, system and hidden).

Launch attrib

To start attrib

  1. Go to Start Menu > Run
  2. Type cmd (cmd stands for command prompt)
  3. Press Enter key

The Command Prompt will appear showing us where is our location in the directory.

command prompt showing the current location in the directory

command prompt showing the current location in the directory

Using attrib

To use attrib

  1. Go to the root directory first by typing cd\(because this is always the target of Malware / Virus)

2. Type attrib and press Enter key

after typing attrib, all the attributes of all the files (excluding folders) will be shown

after typing attrib, all the attributes of all the files (excluding folders) will be shown

In this example, I have two files that are considered as malware.

Note that there are two files which I outlined in red (SilentSoftech.exe and autorun.inf). Since you cannot see this file nor delete it (because the attributes that was set on these files are +s +h +r)

  1. +s - meaning it is a system file (which also means that you cannot delete it just by using the delete command)
  2. +h - means it is hidden (so you cannot delete it)


  3. +r - means it is a read only file ( which also means that you cannot delete it just by using the delete command)


Now we need to set the attributes of autorun.inf to -s -h -r (so that we can manually delete it)

  1. Type attrib -s -h -r autorun.inf ( be sure to include -s -h -r because you cannot change the attributes using only -s or -h or -r alone)
  2. Type attrib again to check if your changes have been committed
  3. If the autorun.inf file has no more attributes, you can now delete it by typing del autorun.inf
  4. Since SilentSoftech.exe is a malware you can remove its attributes by doing step 1 and step 3(just change the filename) ex. attrib -s -h -r silentsoftech.exe


a) I typed the attrib command with the -s -h -r setting b) the result after I pressed enter - autorun.inf has no attributes left

a) I typed the attrib command with the -s -h -r setting b) the result after I pressed enter - autorun.inf has no attributes left

There you have it!!!!

NOTE : when autorun.inf keeps coming back even if you already deleted it, be sure to check your Task Manager by pressing CTRL + ALT + DELETE ( a virus is still running as a process that's why you cannot delete it. KILL the process first by selecting it and clicking End Process.

NOTE: You can also apply the attrib -s -h -r command to all the partition of your computer, drive D: drive E: drive F: (all of your drives). For example. for drive D, just type "D:" (minus the double quote) then you can see that your current drive is D.. type there the command "attrib -s -h -r *.exe" for exe files and "attrib -s -h -r *.inf" and then delete the file by "del autorun.inf".

Hope this helps!!!!! :) Jah bles!

NOTE: If you want to have a more detailed information regarding How to delete a virus visit my other hub.. HOW TO DELETE A VIRUS IN YOUR USB/FLASHDISK

Comments

isyan (author) on June 30, 2014:

Hi,

hopefully you'll never have to experience virus problems.. by just being vigilant and cautious as to the things that you download through the internet.. :)

cheers

Linda Bryen from United Kingdom on June 07, 2013:

Thank you Isyan for this useful and interesting hub, I will it one day when my laptop get virus problems.

sim2king on December 17, 2012:

it worked out just perfectly. Thanx hey

bile bbc on September 20, 2012:

thnks really it is akind of helping before i don't know it but i make of it thnks alot

isyan (author) on September 17, 2012:

haha.. your welcome.. Jesus is Lord

isyan (author) on September 17, 2012:

just use TAB..

ex. type del new (then press TAB.. it will autocomplete the filename)..

rayne on July 24, 2012:

pinoy knaman cguro

mgtatagalog nlang ako pnu ba i delete ung my spacing na virus halimbawa new folder.exe kasi pgtype ko ng del new folder.exe sinasabi could n ot find d:\ new..pnu ba yon kapatid..salamat

hey_jay19@yahoo.com on July 03, 2012:

nice. very informative...

Avinash Singh on June 03, 2012:

thanks dude....

tola on May 20, 2012:

many thanks for kindness

sujith on May 20, 2012:

Thanks you for such wonderful information

ato on May 06, 2012:

your are too much...............thanks alot

chinu on April 24, 2012:

thanx... its very nice n usefull....:)

sonam on April 18, 2012:

hi its been very nic and effectively me to delete virus in my hard drive thankx a lot you are my god ......

asdf on April 12, 2012:

thanks :)

aboalse3ab on March 21, 2012:

first must show all hidden files

and then follow

start cmd

select the letter of the drive (e.g: G:\)

G:\attrib -h -s -r /s *.* /d

Ranga on March 15, 2012:

Thank you!

joey jon pol on February 28, 2012:

thanx man!Boinaparika.it means you guys are geniuses

ken on January 17, 2012:

thanks po

gaby on January 09, 2012:

thanks alot

Matthew on December 16, 2011:

this information is very helpful to me. thanks

Nikhildas on November 21, 2011:

Thanks a lot..

nice article..

rohit baldha on October 28, 2011:

$recycle.bin is a virus.. I used it as an example... Attrib function will not delete a file, it will just set the attributes of a file... In this article I set the attributes of autorun.inf and silentsoftech.exe so that I can delete them using the del function..

sathish on October 22, 2011:

thanks

Nending on September 20, 2011:

thanks for your knowledgeable n useful tips.....i like it v much!!!

uttam kumar on September 10, 2011:

tanks

Lukas on September 06, 2011:

Thanks man helpfully

kaetlin on July 26, 2011:

tnx for this:)

isyan (author) on June 30, 2011:

@walter: use google...

@santosh: dont type "cmd attrib".. pls follow step 1.. Launch attrib...

santoshxl on June 27, 2011:

thanks

himan on May 21, 2011:

hey ..thanks it really works

Te-friend-love-you-max on May 17, 2011:

Wow, thanks msm, run correctly, you're 10

Azo on May 08, 2011:

@sahar to view ur files do the follwing...

goto FOLDER AND SEARCH OPTIONS > VIEW >disable HIDE PROTECTED OPERATING SYSTEM option > apply changes....

ur files will be displayed in ur usb..

sahar on May 06, 2011:

i,have problem that copmuter is not showing all data of usb.the virus effect data is hidden it is not show.how to open this hidden virus effectd data from usb b/c it is important data.kindly guide me the dos command steps through we can recover my impt data. thanks

Omar on April 24, 2011:

Very helpful, thank you.

james on April 17, 2011:

@oxford, that means theres no virus in your system.

chard on April 16, 2011:

thanks it helps but one file with SHR cant delete, the "bootmgr", no file extension.when i try the attrib -s -h -r bootmgr it says "access denied"...wat happened,how to fix this?thanks much

jayzon roxas on April 16, 2011:

why does the autorun.inf in my USB flash drive keeps on coming back.....

oxford on April 06, 2011:

sir, i tried to delete autorun.inf but it will only display "Could Not Find autorun.inf"..

Zenie on April 04, 2011:

-- helo. im so much thank ful with u. i finally deleted the viruses in my pc.... thank u.

Richard on March 22, 2011:

Thanks ISYAN it works.....GOD BLESS

Trisha on March 01, 2011:

Thankz ppl,your atriclez has helpedz me alotz:) keepz up the good workz...really appreciatez itz:)

earl on February 16, 2011:

@aayush

try gpedit.msc, type it on the run (press window & r on your keyboard)

for TASK MANAGER:

1.click Administrative Templates under the User Configuration

2.then click System,

3.then click Ctrl+Alt+Del Options,

4.then 2click Remove Task Manager, tick Enable, then apply

5.then tick Not Configured, then click Ok,

6.then close/exit the Group Policy

FOR REGEDIT

1.do 1 and 2 step(up)

2.then 2click Prevent access to Registry editing tools

3.do 4 to 6 step(up)

after that try to press CTRL+ALt+Del for you Task Manager

if this not come out you still have virus running on your system

hope that helps

earl on February 16, 2011:

@jufei

if you already had clear/clean ur USB for viruses, you can use attrib, type attrib -s -h -r *.* /s at the root directory of your USB, if you want to see those hidden folder, type DIR /AH, u can also use attrib on the folder that have been hidden by the virus

or

u can set ur windows explorer to view those hidden folders & files by doing this

1.open windows explorer

2.click tools, then folder options, then views, then tick "show hidden files and folders"

aayush on February 16, 2011:

hey isyan, i have a problem.i got a virus from my internet and due to it i can not open task manager and registry editor.What to do?Do you have any suggestions?

Inaloz on January 12, 2011:

It worked man. Thanx a lot :^,

isyan (author) on December 23, 2010:

@prabhat: the recycler in drive c is not a virus..

@smitty232: try looking for autrun.inf process... it should be there somewhere... :)

Digvijay on December 22, 2010:

thanx man ur awesome..............

prabhat on December 22, 2010:

i am getting problem in removing the "recycler" which is located in c: drive...

i hv tried it removing it while it is located in any other drive it is getting removed but it is not working for removing in c: drive...pls suggest a solution for it

MCA on December 14, 2010:

@smitty232

you may try creating another admin account and delete the file located in your current account from that new account. You should apply the procedures written above.

smitty232 on December 11, 2010:

ive removed the attributes and i cant even delete in safe mode, i have to kill this process but i cannot find it

smitty232 on December 11, 2010:

i have found the yeawl.exe virus on my laptop, i have typed in attrib -s-h-r yeawl.exe then del yeawl.exe, but it says another process is using it, but i cannot find the process, is there a way to spot the difference to find the process

isyan (author) on December 10, 2010:

@muddassar: try to apply the steps in this post.. and then delete it.. if it's more complicated, Visit my other hub, it has more detailed info in deleting virus..

@Bray: check the process manager, maybe the autorun.inf process is still running.. kill the process then you can change the attribute, then delete it..

kumar abhishek on December 04, 2010:

thanx mate..it did work :)

deep on November 27, 2010:

wooooooooooo its done

Bray on November 23, 2010:

its says access denied when I typed attrib -s -h -r autorun.inf

when i typed del autorun.inf, it says could not find autorun.inf

How is that

kamal on November 20, 2010:

Hi Thanks.

Understood about the basics of attributes.

santosh on November 20, 2010:

good

melanie on November 19, 2010:

thanks!!! it work it didnt work to others becos they r idot

1. first type attrib then enter

when u see .exe it means it is a malware or a virus for example the virus is axbcneag.exe

type del axbcneag.exe

then type again the attrib

then when u didnt see it, it is been remove

seon shrestha on October 27, 2010:

hey this is great article . when is your next article coming?

kishan kunwar on October 25, 2010:

really bro this one article is knowledgeable..............

Thank you for putting such a nice article.

isyan (author) on October 18, 2010:

@mark jordan dalayap: Congrats.. glad it helped alot of people.. :)

mark jordan dalayap on October 14, 2010:

great!! i made it!!

isyan (author) on October 04, 2010:

@jamal: you can apply the command on drive d...and yes.. its possible to delete a virus by using cmd...

@pranav: there is no cmd command that can recover a deleted data..none that I know of.. :) you must use 3rd party apps for that.. try googling for it.. :)

pranav on October 03, 2010:

this idea is working,i know about it before the thing i am searching for is ,how to totlly recover an deleated data piece using CMD codes

jamal on October 02, 2010:

not working,,, drive c has no virus,,, what should i do for the drive d? thers possible way to delet virus from drive d by using cmd?

gudu on October 02, 2010:

very good yar this works

lasith on September 25, 2010:

WOW ITS GREAT

THANX DUDE

Praveen kumar on September 23, 2010:

THIS IS VERY GOOD COMMAND THANKS!

isyan (author) on September 07, 2010:

@laxmi: it is possible that you can delete the os files.. my advice is you google first the suspected file then delete it if its a virus..

laxmi on September 06, 2010:

are u sure it remove only the vires it is posible.......not the file of windows os....

neha on September 05, 2010:

thanks

ben on September 03, 2010:

thanx man, you filipino are awesome. it makes my computer faster now.. cheers

yidi on September 01, 2010:

thanks man i try it and it works.cool.post more and i'll try it again.

nbbatt.com from bear, de, 19701 on August 30, 2010:

thanks guy, you solved my problem.

Bally Joesaccio on August 21, 2010:

If you simply read and comprehend the instructions you will clearly see the value of this article. If you are a flippin bonehead and cannot understand the printed words you should prolly not be using computers.

shiv on August 17, 2010:

it really works

gayz on August 15, 2010:

thanks man!!!

..deomOlisher.. on August 08, 2010:

..sir is it a sign f that there's a virus f may hard drive is loosing sO memory.? but.. i made to use some of u're steps but i didn;t see any infection/virus..

noIRAm... on August 06, 2010:

Sir . . I had this virus that cannot be deleted due to it was been said that "Its been used by another program"? can u plss recommend me a good solution . . tnx more powers . .

sumit on August 02, 2010:

there is a very typical virusin my lappie which can never be deleted..it keeps on coming back even if it is deleted..and whenever i tried to open my command prompt, it dissapears this virus has affected my pendrive too....please help in this matter..

John Robie Maniago on July 01, 2010:

To remove the .exe file in the computer,

First remove first the autorun.inf and then delete the .exe file!

XD!

jay01 on June 28, 2010:

bro can u help to how u can hide and show the files or maybe using a usb flash drive ,. because i have a usb flash drive but i cannot see my folder or files because they are hiding ,.please can u help me about that to recover again it., using you cmd ,command prompt . thanks!! God Bless you ................

JM on June 27, 2010:

T.T my PC has just been attacked by a virus..

first it disabled me task manager then my anti-virus.. I've

already tried finding it by using command prompt but won't

work!...not it's starting to delete my files!..and infected

my 8 GB flash drive!..my gosh..really hate that virus! so

annoying! (cry mode!) gonna reformat my PC..bye bye files! >:/

Munavvar Able on June 23, 2010:

example : del d:\ autorun.inf

gulrpucle on June 11, 2010:

hello dude,

in your example u stated that "Malware is inside your hard drive just by looking at the attributes of each files and the file that has the attributes of +s +h +r".

But at the end you find that only this two files infected although other file also show SHR (in the command prompt). SilentSoftech.exe and autorun.inf

okello michael from uganda(arfrica) on June 11, 2010:

Guess what i just love all the usefull help i get from here am In the MIS dept. but am always going to use this site.Thanx guy we learn alot

MM on May 29, 2010:

i typed it in and it comes up with 'A SH'

O_O

what does that mean?

can anyone help me please D:

axel on May 10, 2010:

this command "attrib" is very usseful and I tried it a few times but there's one thing that I'm not sure about. I restored one virus detected by AVG Int. Sec 9 and than command "attrib" couldn't find it on my system. Why and how to do that? Virus was smth. like Trojan horse Generic...thx

much on May 05, 2010:

sir how to delete an RVHOST.exe in command prompt?im recently using win7..the system doesn't start..so im using safe mode with command prompt trying to delete the virus..please help me thanks..

herwin on April 15, 2010:

thank you so much!

Charaze on April 11, 2010:

It worked! Now, my laptop is working just fine. I'll try to delete other viruses of my other accounts. Thanks for the info!

narico1025 on April 10, 2010:

thank you!!! it works...

isyan (author) on March 30, 2010:

@hammad ansaru: pls read the last part where you have to disable a malicious process running in your computer

@mayuri: thanks and i hope it helped you

@sahan:pls read and understand the instructions carefully because deleting it is included in my post.. :)

hammad ansaru on March 27, 2010:

i have got two virus programms in my usb and i can see them using attrib. but i am unable to change their attribute and i get a message "Not resettig hidden file lemisha.exe"

and "Not resetting hidden file deutrovioce.exe"

any suggestions please?

mayuri on March 22, 2010:

thnks a lot.. i hope i dont see the viruses again..

u explained it v. well..

sahan!@# on March 18, 2010:

how do u delete it

i need the steps!!

donkz on March 12, 2010:

hi.. i want to follow ur instructions but... wen i type the cmd and press the enter key... my computer shut downed...

is there any other way to removed the virus in comp? please help...

Rgonz on March 12, 2010:

Hey i am clean...No virus found..THANKS :D

softboy on March 02, 2010:

perfect!

tyvm from PORTUGAL !

tiagosousa999@hotmail.com