How to Remove Virus Using CMD

Now, follow the steps below to delete viruses from your computer or storage device
using CMD.

Step 1. Type cmd in the search bar, right-click "Command Prompt" and choose
"Run as an administrator".

Step 2. Type F: and press "Enter". (Replace "F" with the drive letter of the infected
partition or device.)

Step 3. Type attrib -s -h -r /s /d *.* and hit "Enter".

Step 4. Type dir and hit "Enter". Now you will see all the files under the assigned
drive. (The dir command displays a list of a directory's files and subdirectories.)

Step 5. For your information, a virus name may contain words like "autorun" and with
".inf" as the extension. Thus, if you find such suspicious files, type del autorun.inf to
remove the virus.

Here are the basic attributes of the 'attrib' command:

R – represents the "Read-only" attribute of a file or folder. Read-only means the file
cannot be written on or executed.
H – the "Hidden" attribute.
A – stands for "Archiving" which prepares a file for archiving.
S – the "System" attribute changes the selected files or folders from user files into
system files.
I - "not content indexed file" attribute.

The "attrib" Syntax:

ATTRIB [+ attribute | – attribute] [pathname] [/S [/D]]

In the above command, let's see what the different parameters and switches are:

'+ / –': To enact or to cancel the specified attribute.

'attribute': As explained above.
'/S': Searching throughout the entire path including subfolders.
'/D':  Include any process folder.
'pathname': Path where the target file or folder is located.

Here is the proper syntax order for attrib command:

ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S [/D]
[/L]]

If you receive the message "Access denied", you should:

 Make sure you have run Command Prompt as an administrator

 Make sure the file/folder is not in use
 Check the permission of the current account and make sure you have full
control over the file/folder (right-click the file/folder/partition and go to
"Security")
 Use CHKDSK command to check for file system errors (run Command prompt
and enter chkdsk /f [drive letter]:)

How to scan virus using CMD?

To scan your computer for viruses using the command-line tool, you need
to follow these steps:

#1. Start the command prompt as administrator.

#2. Type sfc /scannow in cmd and press enter.

#3. Wait for the verification process to complete, it may take a couple of
minutes depending on your system drive size.
#3. Wait for the verification process to complete, it may take a couple of
minutes depending on your system drive size.
#1. Start command prompt with admin privilege

#2. Set the drive letter from where you want to remove virus

Type the drive letter of the partition from where you want to remove the
virus followed by “:“and press Enter. It will alter the target drive in the
command prompt.

The command is:

d:

This means any task you will be performing onwards will remain inside that
partition. You will also notice that the drive will be set to your preferred
driver letter (representing that drive), in the command prompt. 

Check in the image below;

You can check the root directories in the current drive by typing dir [Drive
letter]: in command prompt.
For example,
dir d:
#3. Use attrib command to display hidden files

Now to display all the hidden files on your system drive or external drive
use this command dir [drive letter]: attrib -s -h /s /d *.*  without
colons.

For example,

dir d: attrib -s -h /s /d *.*

This command will explore the selected drive and display all the files
including hidden and system files. You will notice lots of file info scrolling
through the command prompt window like this image below.

#4. remove/rename virus files on your computer

If your computer has been infected with a virus you will notice them in this
list. With a larger disk size, this list might grow you might need to spend
some time in it. In terms of small disks such as Pendrive, the observation
process takes less time.

If you find any unusual file in this list you can either rename it or remove the
virus from your system. 

For example, you have found an infected file call autorun.inf you need to

use this format for renaming the file: rename [filename].[extension][new
file name]

Rename autorun.inf trashed

And if you want to remove virus using cmd use this format: del[filename]
[extension] or del: [filename]. Both ways work perfectly. 
del autorun.inf
del:autorun.inf

What are the attributes of the Attrib command?

The attrib command syntax is: Attrib [+ attribute | – attribute] [pathname]

[/S [/D]]

The parameters and switches used in this command are:

‘+ / –’: To set or cancel the specified attribute.

‘attribute’: check in the attribute section.
‘/S’: Searching the entire path that includes the subfolders.
‘/D’: Cover any process folder.
‘pathname‘: Address where the target file or folder is located.

Basic attributes:

R – it represents the “Read-only” attribute of a directory. Read-only

suggests the file cannot be written on or executed.
H – it represents the “Hidden” attribute.
A – this stands for “Archiving” which prepares a file for archiving.
S – the “System” attribute modifies the selected files/folders from user files
into system files.
I – stands for “not content indexed file” attribute.

How to remove shortcut virus using cmd?

You might have noticed that sometimes files in your drive or pen drive
becomes shortcut. This is a type of common virus and you can remove it
from your PC using the steps below.

Step 1: Start cmd as administrator.

Step 2: Now go to the drive you want to scan for shortcut (autorun.inf)
virus. Either use [drive letter]: or use cd.. to go to your drive.

For example: go to “d” drive using

 d:

And if you want to go to the root of c drive use this:

cd..

Step 3: Now type this command to search for autorun.inf virus files.

attrib -h -r -s autorun.inf

If windows unable to find autorun.inf file, then cmd will display File Not

Found -autorun.inf. Otherwise, proceed to the next step to remove the virus
from your directory.

Step 4: Type del autorun.inf command to delete those files.

Step 5: To delete all the shortcuts type del *.lnk command and press

enter.

Step 6: Now open windows explorer and check whether those files are
deleted or not.

An alternative way to remove virus using cmd

Earlier all you did is went to a directory and expose all the files and then try
to check if you can find any virus or suspicious files.

But what if you want to scan a particular folder and remove virus using cmd
while making sure that it does not end up losing important files.

Follow the steps below:

1. Open the folder that contains the virus.

2. Open the property window for that folder (shortcut: alt + Enter).
3. In the property window if the “size” is lesser than the “size on disk” then
it’s possible to recover the lost data from that folder.
guide: remove virus using cmd

Now open the command prompt with as administrator and propagate to the
folder you want to delete :

cd C:\Users\"username"\Documents\Test

Tip: replace username with your current logged-in user (also use your

folder address that includes a virus).

Then execute this del command:

del /s /q [folder-name/file name]

If you add a folder name it will force delete all the files in the folder. To
delete individual files include the file name in the directory address. Switch
between folder and file deleting command to find out which one can delete
the infected folder/file.

** This process is useful to delete files that are undeletable as a guest user.
If you have deleted files from your computer unintentionally and want to
recover those files then follow this procedure.

How to recover deleted files using CMD

#1. First, open the command prompt and type: vssadmin List shadows

#2. It will display the list of shadow copies created along with their date.
What you need to do is copy the shadow copy volume link for which the
date covers your file deletion date.

#3. Then you need to create a symbolic link with this command.

#4. First, change the directory by typing cd\ in the command prompt.

#5. Type mklink /d c:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2  in

the command prompt and press enter.

“shadow” = it’s just the name of the symbolic link (shortcut) that is going to
be created in your given directory (which is c:\ here). You can put any other
name that does not already exist in the directory.

“\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2” = this is the

shadow copy volume address that was collected from the shadow list.

#6. Now open the directory (c:\) in explorer where you have created the
shortcut and look for the folder(shadow).
#7. Open the shortcut and find the directory from where you have deleted
your files previously. You should find your deleted files there.

#8. Now move the files to your actual folders and thus your files will be
recovered.