A shortcut virus is a kind of Trojan/worm combination that hides all of your files and folders, then replaces them all with shortcuts that look exactly the same.
When you launch one of these false shortcuts, you end up running malware that duplicates the virus and further infects your system, leading to stolen personal data, worsened system performance, and all kinds of other malware-related side effects.
Shortcut viruses mainly affect physical file transfer devices like USB flash drives, external hard drives, and SD memory cards, but can be transferred to computers when exposed to an infected device that takes advantage of Autorun or Autoplay in Windows.
Many shortcut viruses remain undetected by antivirus software, so running a security suite with virus scanner usually isn’t enough. Fortunately, the process for manually removing a shortcut virus is relatively simple and painless.
Removing a Shortcut Virus From an External Device
If you have a USB flash drive, external hard drive, or SD memory card that’s infected with a shortcut virus, the infection will spread whenever you plug it into a Windows PC. Here’s how to remove the infection from the external device:
- Plug in the infected external device.
- Open File Explorer (Windows key + E keyboard shortcut) and look under the Devices and drives section to find the external device, then make a mental note of the drive letter (e.g. E:).
- Launch an elevated Command Prompt by opening the Power User Menu (Windows key + X keyboard shortcut) and selecting Command Prompt (Admin).
- Orient the Command Prompt to the external device by typing the drive letter you noted in step 2, then hitting Enter:
- Delete all shortcuts on the device with this command:
- Restore all files and folders on the device with this command:
attrib -s -r -h /s /d *.*
The attrib command is a native Windows function that alters the attributes of a particular file or folder. The other parts of the command designate which files and folders to alter and how they should be altered:
- -s removes the “system file” status from all matching files and folders.
- -r removes the “read-only” status from all matching files and folder.
- -h removes the “hidden” status from all matching files and folders.
- /s makes the command recursively apply to all files and folders in the current directory and all subdirectories, basically the entire device in this case.
- /d makes the command apply to folders as well (normally attrib only handles on files).
- *.* means all file names and folder names should be considered a match.
Once you’ve done all that, consider copying all of your files off of the external device, completely formatting the external device to wipe it clean, then moving your files back onto the external device. Learn more about how to format an external drive. (But first make sure to clean your computer too! Instructions below.)
How to Permanently Remove a Shortcut Virus from Your PC
If your Windows PC is infected with a shortcut virus, then any time you plug in another external device, the infection will spread to that device. Here’s how to remove a shortcut virus using CMD (on a Windows machine):
- Open the Task Manager (Ctrl + Shift + Esc keyboard shortcut).
- In the Process tab, look for wscript.exe or wscript.vbs, right-click on it, and select End Task. If you see both, go ahead and do it for both.
- Close the Task Manager.
- Open the Start Menu, search for regedit, and launch the Registry Editor.
- In the Registry Editor, navigate to the following in the left sidebar:
- In the right panel, look for any strange-looking key names, such as odwcamszas, WXCKYz, OUzzckky, etc. For each one, run a Google search to see if it’s related to shortcut viruses.
- If so, right-click on them and select Delete. Do this at your own risk! Always make sure you know what a key does before tampering with it. Accidentally deleting an important key can cause Windows to become unstable.
- Close the Registry Editor.
- Open the Run prompt (Windows key + R keyboard shortcut), type msconfig, then click OK to open the System Configuration window.
- In the Startup tab, look for any strange-looking .EXE or .VBS programs, select each one and click Disable.
- Close the System Configuration window.
- Open the Run prompt (Windows key + R keyboard shortcut), type %TEMP%, then click OK to open the Windows Temp folder. Delete everything inside. (Don’t worry, it’s safe!)
- In File Explorer, navigate to the following folder:
- Look for any strange-looking .EXE or .VBS files and delete them.
If the above doesn’t work, you might also try using USBFix Free. It’s technically meant to clean up USB drives and other external devices, but you can point it to regular system drives and it will clean them up too. It works pretty well as a shortcut virus remover tool. Many have seen success with it, but we can’t be held responsible if it backfires and you lose data. Always back up your data first!
Note: If the infected drive or partition is the same one as your Windows system (for most users, that means the C: drive), there’s no easy way to clean all of the false shortcuts. Fortunately, in Windows 8.1 and 10, you can opt to reset or refresh Windows. On Windows 7, you’ll need to reinstall Windows.
Tips for Avoiding Malware in the Future
With a little bit of knowledge and a lot of common sense, malware can be surprisingly easy to prevent. Check out our best tips for avoiding malware, our exploration of sites most likely to infect you with malware, and our guide to spotting fake virus and malware warnings.
To protect yourself from future malware infections, use one of these antivirus programs.