How to restore some USB pen drive files after fixing Lodbak.gen!lnk / autorun.gen infection?

virus usb-flash-drive file-recovery

My suggestion would first be to try to rename the folder that looks like a drive, which can, for instance, be done from Explorer by highlighting it and pressing F2. Maybe that will make it possible to CD into it and see the files.

If that doesn't solve it, I'd suggest taking a look at the folder permissions, and making sure your user is the owner of the files, from an administrator account. The reason is that if you aren't the owner, maybe this is why attrib fails? You should be able to find and change the permissions from an administrator account by right-clicking the folder and choosing Properties->Security->Advanced->Owner.
More info on how to do this: http://technet.microsoft.com/en-us/library/cc753659.aspx

Another idea would be trying to obtain the files via a file recovery tool. It looks like Piriform has a free version of Recuva, which you can get here: https://www.piriform.com/recuva

Edit: As for the cd'ing problem, courtesy of dave_thompson_085's comment, when you want to change to a different partition such as d:, you first need to write just

d:

...that is without cd in front, whereafter you can use cd to traverse the different folders on that partition.


I've literally had this happen to me over a hundred times and it's always when I plug my thumb drive into a computer at a cyber cafe or a library computer, etc. It's ridiculously easy to fix though.

You were right about running attrib -s -h -r /s /d. That's pretty much all you need to do here. You could additionally run del /F /S /Q desktop.ini (after you've run the first command) to remove all folder customizations (e.g. a folder that looks like a hard drive partition)

Before you run either command, you should run this: cd /d X: (where X is the drive letter assigned to your pen drive)

It's also completely safe to explore the folder with no name (i.e. the   folder) as long as you don't click on anything suspicious inside, like an executable file you don't remember copying, a .BAT, .SCR, .COM, .VBS script, suspicious XLS, PDF, DOCX files, etc.)

Sometimes you run into a worm infection, an executable file that makes several copies of itself, looks like a folder icon and renames each of its copies to look like legitimate folders already present on your pen drive.

It's quite easy to remove this as well, even if you don't have an antivirus installed. I prefer to navigate to the root of the pen drive and enter *.exe size: xxx into the search box where xxx is the exact size of the executable file in bytes. This should give you a list of all malware executables on your pen drive that you can safely delete. You must exercise caution here though, because there's a (slim) chance that you have legitimate executable files on your pen drive that are the same size as the malware.

EDIT: I've never personally had problems with malware changing file/folder permissions but you never know, so you could also run the following two commands (after you've run cd /d X:):

takeown /r  /f X:\*
icacls X:\* /T  /L  /Q /C /RESET

X is the drive letter assigned to your pen drive.


The first and most important step is to hold off on writing anything to the USB. That means don't delete anything from the USB, don't rename anything on the USB, don't move any files on the USB, don't run chkdsk on the USB. Period. Any time you write on the drive, you are potentially permanently overwriting and destroying older, existing data that you wish to save!

Depending on how important the data on the drive is, before anything else, create a byte-by-byte clone of the drive. Using dd for Windows:

dd if=\\?\Device\Harddisk1\Partition0 of=backup.dat

Now you can run file recovery software on the partition, like the free Recuva and PhotoRec. More advanced tools exist like EasyRecovery Professional and NTFS-specific utilities, but they're paid and older (not recently updated or developed) while Recuva and PhotoRec/TestDisk have seen a lot of development and improvements in recent years.

You've already done a lot of writing and modifications to the filesystem after losing your files, so there's a chance your files are corrupted. Recuva and photorec will both show you the probability of properly recovering a file and how much of it is damaged or overwritten. Hopefully the files you value most are still there.

Related

Automate Application - How to answer a prompt in a batch file
Can a Win10 GURU automate this solution for splitting videos upon resolution changes? [duplicate]
How to remove files using find's multiple -name parameter?
Virtual Wifi without Internet Connection Sharing and/or compatible network adapter?
Notepad++ XML Auto Indent + Tag Closing
Restoring an Windows system image to a smaller drive
Using Windows Performance Analyzer to identify slow windows 10 shutdown
Is there a way to hook up my may 2010 17" macbook pro to two external monitors? [duplicate]
Can I use time machine with a network drive?
Is there hotkey for Show Desktop Icons function in Windows?
Scripting Bitlocker Decryption of a local hard-drive
What can TianoCore's DUET be used for in a PC?