Using Command Prompt (CMD) "attrib" to check for Viruses or Malware

​Microsoft Command Prompt "attrib" is a very useful tool to check if your hard drives, even your USB flash drives, have been infected by a virus.

You will know if malware or virus is inside your hard drive just by looking at the attributes of each file. The function of attrib is to set and remove file attributes (read-only, archive, system, and hidden).

To start attrib, follow these steps:

Go to Start Menu > Run 
Type cmd (cmd stands for command prompt), then run as Run as Administrator 
Press Enter key​

Go to the root directory first by typing cd\ (because this is always the target of Malware / Viruses).

Type attrib and press Enter key. ​After typing attrib, the attributes of all files will be shown. 

In this example, we have two files that are considered malware. Note that two files were outlined in red (SilentSoftech.exe and autorun.inf). Since we cannot see these files nor delete them (because the attributes that were set on these files are +s +h +r).

+s - meaning it is a system file (which also means that you cannot delete it just by using the delete command) 
+h - means it is hidden (so you cannot delete it).
+r - means it is a read-only file ( which also means that you cannot delete it just by using the delete command) 

Now we need to set the attributes of autorun.inf to -s -h -r (so that we can manually delete it).

• ​Type attrib autorun.inf –s –h -r  or attrib –s –h –r autorun.inf (be sure to include -s -h -r because you cannot change the attributes using only -s or -h or -r alone). 
• Type attrib again to check if your changes have been committed. 
• If the autorun.inf file has no more attributes, you can now delete it by typing del autorun.inf 
• Since SilentSoftech.exe is a malware you can remove its attributes by doing step 1 and step 3 (just change the filename) ex: attrib silentsoftech.exe –s –h –r or attrib –s –h –r silentsoftech.exe

Note: When the autorun.inf keeps coming back even if you already deleted it, check your Task Manager by pressing CTRL + ALT + DELETE (a virus is still running as a process, that's why you cannot delete it. Kill the process first by selecting it and clicking End Process.