If your USB drive suddenly shows nothing but shortcuts where your files used to be — don’t panic, and definitely don’t format it yet. You haven’t lost your data. The shortcut virus is sneaky, but it doesn’t actually delete your files. It just hides them and puts fake shortcut icons in their place to trick you into clicking something you shouldn’t.
I’ve seen this happen to people who plugged their pen drive into a college computer, a cybercafe machine, or even a friend’s laptop. One moment everything’s fine, the next — your 8GB drive shows 1KB shortcuts and nothing else.
This guide covers every working method to remove the shortcut virus from your USB drive, pen drive, SD card, or even your Windows PC — without losing a single file. We’ll go from the quickest fix (a single CMD command) all the way to cleaning it from your registry if it keeps coming back.
So, let’s get into more details to understand and learn how to remove virus from usb without deleting files.
How does shortcut virus work or what it does to the files?
The shortcut virus isn’t one specific virus — it’s a category of malware that behaves in a predictable way. The most common versions spread through USB drives, SD cards, and external hard disks. When your drive gets plugged into an infected computer, the virus copies itself onto your storage and immediately gets to work.
Here’s what it actually does step by step:
It hides every folder on your drive using Windows’ built-in file attribute system — marking them as hidden and system files so Windows won’t show them by default. Then it creates a shortcut file with the exact same name as each of your folders. These shortcuts are tiny (usually around 1KB) and carry the .lnk, .exe, or .vbs extension.
When you click one of those shortcuts thinking you’re opening your folder, you’re actually running the virus. That’s how it spreads from the USB to your computer — and from your computer to every new USB you plug in afterward.
Some variants also create an autorun.inf file in the root of your drive, which can automatically execute the virus the moment you connect the drive, without you clicking anything at all.
The tricky part is that your actual files are still sitting there on the drive — they’re just invisible. That’s why the fix doesn’t involve recovering deleted files; it’s about making the hidden files visible again and then cleaning up the virus files.
This type of virus can be categorized into a trojan virus as you would not know that the USB drive you plugged into the PC carries the virus infection and can be named under worm virus as it will reappear as soon as you restart the PC.
Well, now you realized that it’s been infected how can you fix USB virus. let’s see the ways to heal and disinfect the virus, it is not that complicated kind of virus so the removal of the shortcut virus can be performed easily.
How to remove USB virus shortcut?
There are many ways and different tools to disinfect the shortcut virus, let’s see some free and effective ways to remove the shortcut virus. Below is the list of the ways to remove the virus
- Using command through the command prompt
- Using free antivirus tools
- Remove Shortcut Virus from the registry keys
- Using third party virus removal tools
Method 1: Using Command through the command prompt to remove shortcut virus | command to remove shortcut virus.
After you have plugged in your USB drive into your PC check the drive letter it has associated with.
Now open the command prompt as administrator, you can click start in windows 7 or windows 10 and type cmd then right-click on to the command prompt application and choose run as administrator. Accept if any access right prompt appears.
Type the following command at the command prompt window
attrib f:\*.* -r -s -h /d /s
The letter f:\ is the drive letter you have noted after attaching the USB drive.
Let’s see what does the above command does to the drive. Attrib command is used to change the attributes of the files and folders associated with them here we are changing the attributes of all the folders and files in drive f which is specified by saying *. *.
– Clears an attribute.
-R Removes Read-only file attribute.
-S Removes System file attribute.
-H Removes Hidden file attribute.
/S Processes matching files in the current folder and all sub-folders.
/D Processes folders as well.
Check the drive, all the files and folders should appear in the drive. Check if there are any unwanted files with weird file names if any delete them.
Once you have your data, you can format the USB. Before formatting USB you can copy all your files to another location and perform a quick format.
So, this is one of the method to remove shortcut virus using cmd. Below you will learn and understand more ways to deal with this shortcut virus.
Method 2: Shortcut virus removal Using free antivirus shortcut remover tools.
After performing the method 1, if you have any antivirus installed then perform a full scan to disinfect any virus affected to the PC files.
If you don’t have any installed antivirus you can download any free or trial antivirus to perform the full scan. Almost all the top antivirus products provide you with a trial period, select any antivirus software and hit the trial button, install it and perform a full scan of your computer and see if it wipes out all the unwanted programs and viruses.
If you want to download any of the available shortcut virus removal software you can try any one of them from the below.
These all are third-party tools, based on most of the successful reviews we have suggested you the options, but usage and effect of the software is completely users’ discretion. Please check the documentation and backup your data before using any of it. We will not be responsible for any unusual effect or data loss.
If you need any review or any working guide on any of the software please let us know either in comments or through contact-us page we will try to do the best to help you out.
Method 3: Remove Shortcut Virus Using a BAT File (Easiest Repeatable Fix)
If you deal with this virus regularly — maybe you use USB drives across multiple computers — this method saves a lot of time. Instead of typing commands every time, you create a small script file once and just run it whenever you need it.
Step 1. Right-click anywhere on your desktop and choose New → Text Document. Open it.
Step 2. Paste the following code exactly as it appears below:
@echo off
del *.lnk /s /q
attrib -h -r -s /s /d
del autorun.inf /s /qStep 3. Go to File → Save As. In the filename box, type fix_shortcut.bat — make sure you change the “Save as type” to All Files, not Text Document. If you save it as a .txt file it won’t work.
Step 4. Copy this .bat file onto your infected USB drive.
Step 5. Open the USB drive in File Explorer, then double-click the .bat file to run it. A black Command Prompt window will flash open briefly and close — that’s normal.
After it runs, your original files should reappear. Delete any leftover .lnk shortcuts you see, and then delete the .bat file from the drive once you’re done.
Why this works: The script runs the same attrib command we covered in Method 1, but it also automatically deletes all .lnk shortcut files and the autorun.inf file in one shot — which the manual method doesn’t do.
Method 4: Remove shortcut virus using Windows Registry
Well, If you do not wish to install any extra software and want to completely remove the shortcut virus we will show you all the steps to follow to accomplish the job. In the below steps will we try to remove the source of the virus manually which might get activated if the USB drive is inserted back again.
Before going to open the windows registry we will see if any task is still running in the background, we can use the taskmanager to end it.
Let’s open the taskmanager by right-clicking on the taskbar and select taskmanager, or press ctrl+Alt+Delete keys and select taskmanger or just press Ctrl+Shift+Esc keys
Once taskmanager is open, go to the Details tab (Process tab in Windows 7), look for wscript in the processes list if you find it either with .exe or .vbs extension. Right-click on it and press the End Task button to stop the process and close the taskmanger.
Now after we stopped the process lets open the windows registry to find and remove any unwanted entries.
- To open the windows registry editor press start and type Regedit or in run command (windows+r).
Note: Editing or deleting the important keys can cause serious damage to the windows operating system, do the following steps at your own risk. It is recommended to take a backup of the registry keys before performing any changes.
After you have opened the registry editor on the left side pane follow the below path to reach Run menu.
Click on HKEY_CURRENT_USER and expand through Software -> Microsoft -> Windows -> Current Version -> Run.
Or just type the below path in the address bar of the registry editor window
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Now in the right pane of the registry editor window look for any unusual entries for eg. WXCKYz, odwcamszas, OUzzckky, ZGFYszaas. If you found anyone of those select them and search on the internet for the details about the entry.
- If the entry is related to the shortcut virus, select and delete the entry by right click on the entry and select delete. Close the Regedit window.
Removing the Shortcut Virus From Your Windows PC
Cleaning the USB drive is only half the job. If your PC was the source of the infection — or if the virus jumped from the USB to your computer — plugging in a clean drive later will just re-infect it all over again.
Here’s how to find and remove the virus from Windows itself.
Step 1: Kill the running process
Press Ctrl + Shift + Esc to open Task Manager. Click the Details tab (or Processes in Windows 7).
Look through the list for any of these:
wscript.exewscript.vbs- Any process running a .vbs file you don’t recognize
Right-click on it and select End Task. If Windows tells you it can’t be ended, move to the next step first and come back.
Step 2: Clean up the startup entries
In Windows 10 or 11, open Task Manager and click the Startup tab. In Windows 7, press Win + R, type msconfig, and go to the Startup tab.
Look for anything with a .vbs or .exe extension that has a vague or random-looking name — things like nkvasyoxww.vbs or odwcamszas.exe are classic shortcut virus entries. Right-click and Disable anything suspicious.
Step 3: Delete the temp files
Press Win + R, type %temp%, and hit Enter. This opens your temporary files folder. Press Ctrl + A to select everything, then Shift + Delete to permanently remove it.
Do the same with just temp in the Run box (some virus files hide in both locations).
Step 4: Run a registry check
(Follow the registry steps already covered in Method 4 of this guide.)
Step 5: Restart your computer
After completing all the above steps, restart. Once it boots back up, plug in your USB drive again and check if it re-infects. If it does, your antivirus scan from Method 2 didn’t fully remove it — try Malwarebytes or Hitman Pro as a second opinion scanner.
My Files Still Aren’t Showing — Now What?
In most cases, running the attrib command brings everything back. But occasionally the virus has done additional damage, or the attrib command didn’t run correctly, and your files still appear missing.
Before you try anything drastic, check these things first:
Check if hidden files are showing in Windows. Open File Explorer, click View, then check the box for Hidden items. If your files suddenly appear (probably faded/transparent icons), they’re still there — just hidden. The attrib command may not have run on all subfolders.
Run the command again, making sure you’re typing the correct drive letter. The command should be:
attrib -h -r -s /s /d X:\*.*(Replace X with your actual drive letter.)
Check the drive’s used space. If your USB shows 4GB used but appears empty, that’s a strong sign the files are hidden rather than deleted. A tool like Disk Usage Analyzer can confirm this.
If files are genuinely gone, the virus may have moved or encrypted them, or someone formatted the drive. In that case you’ll need a file recovery tool. Free options include Recuva (Windows), which does a surprisingly thorough job on USB drives that haven’t been written to since the infection.
Additional steps
After this step, it is recommended to restart your PC to make sure that there is no start-up scheduled saved after we restart. So let’s do the following steps to check that.
In windows 8 or windows 10 open taskmanager and go to Startup tab and in windows 7 or previous, type msconfig in Run (windows+r) command box to open system configuration and select startup tab.
In this tab look for any strange program names with .exe or .vbs extension for eg. nkvasyoxww.vbs then select them and click on disable.
Close the taskmanger (system configuration window in windows 7 or earlier) and at this point, you can restart the computer.
Or before doing so just delete all the temporary files of your computer and restart.
Press windows +r to open run command box and type %temp% and in temporary folder select all by pressing ctrl+a and press shift+delete to permanently delete everything. Don’t worry about deleting these files.
Now finally close everything and hit the restart to restart your computer and see if the shortcut virus is gone!
If any of the above steps could not resolve and remove the shortcut virus, the last best option is to backup your data and format and reinstall the operating system. In Windows 8 or 10 you can try reset or refresh your windows.
Advisory Note:
As the proverb says “Prevention is better than cure” it is always recommended to have a backup of all the important data and to have complete protection against viruses and malware. A good antivirus or malware protection like Kaspersky Antivirus or any other program installed will give good peace of mind.
Here you can get an idea on how to choose the best antivirus for your computer.
How to Stop the Shortcut Virus From Coming Back
Once you’ve cleaned everything up, these habits will keep you from dealing with this again:
Disable AutoRun on Windows. This stops the virus from automatically executing when a USB is plugged in. Press Win + R, type gpedit.msc, and navigate to Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies. Set Turn off AutoPlay to Enabled for all drives.
If you don’t have Group Policy Editor (Home editions of Windows), you can do this through the Registry by setting NoDriveTypeAutoRun to FF under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.
Never open files directly from an unknown USB. Copy files to your desktop first, scan them, then open them from there.
Keep your antivirus definitions updated. Most shortcut virus variants are old and well-documented — a regularly updated antivirus should catch them before they execute.
Scan before you share. If you’re handing your USB to someone else, run a quick scan first. You don’t want to be the reason their drive gets infected too.
Use write-protection when you can. Some USB drives have a physical write-protect switch on the side. Flipping it on before plugging into an unfamiliar computer means nothing can write to it — including viruses.
Wrapping Up
The shortcut virus is one of those infections that looks worse than it actually is. Your files aren’t gone — they’re just buried under some clever trickery. In most cases, a single CMD command is all it takes to get everything back.
If Method 1 worked for you, great — but don’t stop there. Make sure you also clean your PC (not just the USB) so the virus doesn’t reappear next time you plug in. And if you’re still seeing shortcuts come back after a restart, that’s your sign the virus is still running somewhere in the background — usually in the registry or startup entries.
Take 10 minutes to go through the full cleanup and you should be completely clear. If you hit a specific error during any of these steps, drop it in the comments and I’ll help you figure out what’s going on.
