After an infection, the machine is a crime scene nobody should keep walking through. The malware may have hidden your folders, scrambled filenames, deleted what it pleased — and it may still be resident, waiting for the next USB stick or network share. The professional route treats the drive as contaminated evidence: image it, quarantine it, and lift the clean data out without ever letting the infection breathe again.
Infections hurt data three ways. The vandals hide folders and set everything to “system” invisibility, or shuffle names to cause panic — your files intact behind a curtain of attributes. The parasites corrupt what they touch while spreading — documents that suddenly won’t open, executables bloated with passenger code. The wipers genuinely delete or overwrite, turning the job into deleted-file recovery against whatever the malware’s schedule left behind. Diagnosis comes first, because each pattern gets a different plan.
And if the “virus” left a ransom note, that’s its own discipline — see ransomware recovery, where paying is never the plan.
The infected drive is imaged behind a write-blocker and never boots again — all work happens on the image, inside an isolated environment that grants the malware no execution and no network. Your files are extracted, screened, and verified clean before anything is handed over; live infections stay sealed in the image like insects in amber. What we won’t do is the corner-shop routine of running an antivirus over your original disk — “cleaning” deletes infected carriers, and infected carriers are sometimes your documents.
The drive itself comes back to you as-is or wiped for reuse — your call once the data is safe.
The end state is a clean data set on new media, ready to restore onto a freshly-installed system — the only trustworthy foundation after a compromise. We’ll flag anything suspicious found riding along, note what the infection appears to have been, and leave the security questions where they belong: answered before the recovered files ever touch a production machine.
A single affected drive is a fixed £300 + VAT, whatever the fault turns out to be; the rare chip-level exception is quoted in writing first. Everything starts with a free diagnostic, the figure goes in writing before work begins, and on most jobs nothing is owed unless the data comes back. No hourly meter, no evaluation fee, no percentage of what the files are worth.
If the files have been encrypted rather than deleted, ransomware recovery services are the right route — and they start by not paying anyone.
Very likely — AV quarantine and deletion remove infected files, and when malware embeds in documents, the documents go with it. Those removals are recoverable like any deletion if the drive stops being used now. Check the AV’s quarantine folder first; then image and recover what cleaning threw out.
The classic hider pattern — attributes flipped to hidden/system, sometimes with decoy shortcuts left in place. The space-used figure is your data announcing it still exists. Straightforward to reverse from an image; the only way to lose here is panic-formatting a drive that was never empty.
Completely — infected media is handled as contaminated by default: write-blocked imaging, isolated analysis, no execution, no network, your infection never meets another drive. It’s a normal category of work here, not an exception. Label it as suspected-infected and we’ll treat it accordingly from arrival.
To a useful degree, yes — the image preserves the evidence, and we’ll identify the family where recognisable and describe what it appears to have altered or destroyed. For formal forensic attribution — reports for legal or HR proceedings — that’s the forensic service, built on exactly this preserved image.
Two honest routes, no vans. Hand the device in at Tay House, 300 Bath Street — right at Charing Cross, two minutes off the M8 — Monday to Friday, 9am–5:30pm. Or wrap it well and send it by insured, tracked post from anywhere in the UK. The work is done in-house by our own engineers, with a documented chain of custody, and your data never leaves the UK.
Every boot gives the malware another shift and the deletions another layer. Virus and malware data recovery for Glasgow: imaged, quarantined, and returned clean — drop-off at Tay House or clearly-labelled insured post.