Remove Shortcut Virus from Pen Drives, Memory Cards, USB Drives

Stop Shortcut Viruses Dead in Their Tracks! Have you ever plugged in your USB drive or memory card only to find all your files replaced by shortcuts? This frustrating issue is caused by a shortcut virus, a common malware that targets removable storage devices. Our article provides a detailed, step-by-step guide on how to remove this virus and prevent future infections, ensuring your files stay safe and accessible. From initial detection to final cleanup, we’ll show you all the tools and techniques needed to restore your pen drives, memory cards, and USB drives to full health.

Remove Shortcut Virus from Pen Drives, Memory Cards, USB Drives

Have your files and folders on a USB drive, pen drive or memory card turned into shortcuts? Is your USB drive, pen drive or memory card shown as a shortcut? Are you looking for a method to restore your data and remove the pesky shortcut virus? Is your computer infected, in spite of having an antivirus installed? Unfortunately, few antiviruses can protect you against this misfortune.

With all those nasty effects, this type of virus is relatively harmless (especially if you think of ransomware and the like) so data can be restored, and the virus removed quite easily.

Types of shortcut viruses

At the moment, the two types of shortcut viruses are the most widespread: the first type creates shortcuts instead of files and folders on a pen drive or memory card, while the other type creates shortcuts of removable drives instead of the actual pen drives, USB drives and memory cards.

Names of the most widespread viruses:

  • Bundpil.Shortcu;
  • Mal/Bundpil-LNK;
  • Ramnit.CPL;
  • Serviks.Shortcut;
  • Troj/Agent-NXIMal/FakeAV-BW;
  • Trojan.Generic.7206697 (B);
  • Trojan.VBS.TTE (B);
  • Trojan.VBS.TTE;
  • VBS.Agent-35;
  • VBS.Serviks;
  • VBS/Autorun.EY worm;
  • VBS/Autorun.worm.k virus;
  • VBS/Canteix.AK;
  • VBS/Worm.BH;
  • W32.Exploit.CVE-2010_2568-1;
  • W32.Trojan.Starter-2;
  • W32/Sality.AB.2;
  • Win32/Ramnit.A virus;
  • Worm:VBS/Cantix.A;

The virus turning files and folders into shortcuts

This virus duplicates your files and folders, then hides and replaces them. It is a combination of a Trojan and a worm. The danger is that you start a virus every time when you want to open your file or folder. When you start a virus, it multiplies itself and infects more and more files, and often installs more malware that can steal data on your passwords and credit cards stored on your PC.

The virus turning pen drives and memory cards into shortcuts

This is a thoroughbred Trojan that hides all removable drives connected to the computer and replaces them with shortcuts for these devices. Every time you click on the shortcut, you start the virus again and again, so it starts looking for any financial data on your PC, and sends it to its creators.

What can be done if the virus attacks your PC

Unfortunately, few antiviruses can recognize the threat in time and protect your PC from infestation. That is why the best protection is to disable autorun option for removable devices and avoid clicking on file, folder or disk shortcuts. Be attentive and don’t click on the shortcuts which you didn’t create. Instead of the usual double-click to open the drive, right-click on it and select Open in new window.

Recover data removed by the virus

To restore effectively the data removed by this type of virus, use Hetman Partition Recovery. It uses low-level functions in working with the disk, so it can bypass the virus blocking and read all of your files.

The tool recovers data from any devices, regardless of the cause of data loss.

Download and install the program, then analyze the infected pen drive or memory card. Restore the information before cleaning the drive from the virus. The most reliable method is to clean the pen drive with the command DiskPart, which will remove all data.

Delete the virus from the memory card or USB drive

After recovering data from the pen drive, you can clean it entirely with the help of diskpart. Removing all files and formatting the device may still miss the virus hiding in the boot sector, partition table or unallocated area of the drive. Watch the video to see how to clean a pen drive properly.

Remove the virus from the pen drive with the Command Prompt

This method cannot clean your pen drive from all kinds of viruses for sure, but it can help you to get rid of the shortcut virus. You don’t have to download and install any third-party utilities – all the work can be done with this Windows-integrated tool.

  1. Right-click on the Start menu and run the Command Prompt as Administrator.

    Command Prompt
  2. Enter the command j: and press Enter (where j: is the letter of the USB drive infected by a virus).

  3. Enter the command: attrib j:*.* /d /s -h -r –s and press Enter:

    • –h: shows all hidden files on the flash drive;
    • –r: disables the read-only setting;
    • –s: disables the system mark from all files.

Delete the virus from your PC

The easiest and most reliable way to clean the computer from the virus is to completely reinstall Windows, with removing the system partition.

However, if you are a power user, here’s one thing you can try:

  1. Modify the Windows registry to prevent the virus from auto-starting. Press the key shortcut Win + R, in the window that appear, type regedit and press Enter. Go to HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Run.


    View all keys located there. If you see an unusual name or location of a program, remove the entry. Often viruses are hiding under automatically generated names, such as sfdWQD234dcfF. Any keys starting VBS, INI, LINK or EXE files are potentially dangerous. However, you are the person to know for sure what programs are installed on your computer and are supposed to start with Windows, so it’s up to you to decide if a certain key has to be removed. To remove a key, select it by left click and press Del.

  2. Disable the virus auto-start in Windows Services. Press the key shortcut Win + R, in the window that appears, type msconfig and press Enter. In the window that opens, jump to the tab Services. View them and disable all that seem to be suspicious.

  3. Disable the apps that are started automatically via Task Manager (For Windows 8 and older) Press Ctrl + Shift + Esc and go to the tab Startup. To prevent a suspicious app from starting, right-click on it and select Disable.

    Task Manager
Vladimir Artiukh

Author: , Technical Writer

Vladimir Artiukh is a technical writer for Hetman Software, as well as the voice and face of their English-speaking YouTube channel, Hetman Software: Data Recovery for Windows. He handles tutorials, how-tos, and detailed reviews on how the company’s tools work with all kinds of data storage devices.

Oleg Afonin

Editor: , Technical Writer

Oleg Afonin is an expert in mobile forensics, data recovery and computer systems. He often attends large data security conferences, and writes several blogs for such resources as, Elcomsoft and Habr. In addition to his online activities, Oleg’s articles are also published in professional magazines. Also, Oleg Afonin is the co-author of a well-known book, Mobile Forensics - Advanced Investigative Strategies.

Recommended For You

Hello! This is AI-based Hetman Software virtual assistant, and it will answer any of your questions right away.
Start Chat