Folders have become shortcuts to what to do. How to remove a virus that creates shortcuts to files and folders on a flash drive, memory card or USB drive

Various USB drives, SD cards and other USB storage devices are very convenient devices that most users have. Such devices can be taken anywhere: to work, leisure, in a cafe, if you work there. This, of course, is all very well, but at some point a misfortune may happen to the flash drive, which we will talk about today.

I, and most likely other users, had such a problem, which consisted in the fact that all documents, folder files on the flash drive turned into shortcuts, there was also a strange folder called .Trashes. You might think that this is some kind of virus that corrupted all the files on the USB drive. So what if the files on the flash drive turned into shortcuts?

In general, if you try to check the flash drive with an antivirus, then there is a chance that it will find something bad there, as happened to me. If so, you can clean up this "bad". After restarting the computer, I went to the USB drive and everything remained as it is: the shortcuts remained.

There is a very good way to solve this problem on the Internet. I will describe it here to help users if they are faced with such an unpleasant problem.

1 way

For starters, in the explorer options, this is done in the top menu of any folder. Next, open a command prompt as an administrator and enter the following command there:

attrib -h -r -s /s f:\*.*


By the way, don't forget to change f:\ to the letter of your flash drive. It might turn out, for example, like this: attrib -h -r -s /s r:\*.*

After you have done the work, open the flash drive and make sure that the files and folders are present, but the shortcuts may remain, it's okay, the main thing is that now you can move your files.

Transfer all files that are not shortcuts to another location, for example, to a computer. Now, format the flash drive, then try to scan the USB flash drive again with an antivirus just in case.

Move the necessary files back to the flash drive. After all the steps above, your issue should be resolved.

Second way

If nothing happened with the first option, then there is another method, which is to create a bat file with the following content:

Now, we run it as an administrator, after which, the running program will prompt you to enter the letter of the flash drive with which there was a problem. After that, the shortcuts and the virus will be removed from the flash drive, and everything that you had on the flash drive will remain safe and sound.

An interesting virus crept into computers at work. It creates a flash drive shortcut on the flash drive itself, and when a person connects such a flash drive, he thinks that this is a harmless glitch and launches the shortcut. And the shortcut, in turn, executes the malicious code written in the properties, and then only opens the folder with files to the user. Antivirus programs turned out to be powerless, I decided to try to eliminate this trouble on my own.

The virus spreads only via USB flash drives

So, if you go to Google with a query Virus creates flash drive shortcut on flash drive we will see special threads on the forums (an example of a topic on cyberforum.ru (http://www.cyberforum.ru/viruses/thread970282.html)) where people ask to remove this nonsense.

To eliminate a virus that creates a flash drive shortcut on a flash drive, you need to send computer scan reports, then follow the guru's recommendations and that's it. And what to do if the entire fleet of computer equipment is infected? It will be very expensive to send a report for each PC, because. Not all employees will be able to do this. Yes, and to treat flash drives to everyone, without exception, is also hemorrhagic in time.

As an option, I decided to try to study this virus on my own. To do this, install a virtual Windows in VirtualBox, infected it with an infected flash drive. Now I am looking for a universal and simple way to clean computers from a virus that creates a flash drive shortcut on a flash drive, as well as protect the system from infected usb media.

Security Considerations

Open the contents of the flash drive bypassing the launch of a malicious shortcut

As I said earlier, the virus spreads only through usb devices by launching the executable code from the shortcut properties. In order to open all hidden files, you can use the following script:

Attrib "*" -s -h -a -r /s /d

Save it as run.bat and keep on hand.

Disable autorun USB devices To disable the autorun of a USB flash drive and a CD, you need to edit the registry:

  1. "Start" - "Run" and write "regedit";
  2. Open the path HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
  3. We go to the Explorer section, and if it is not there, create a new section and rename it to "Explorer";
  4. In the "Explorer" section, create the NoDriveTypeAutoRun key and enter the key value 0x4 to disable autorun of all removable devices.

When they bring a flash drive with a label at the root, you need to

  1. copy run.bat to the root of the flash drive and run;
  2. after which many invisible files will open to us, including a folder with an empty name, where the virus has downloaded all the files;
  3. we open the free utility from Microsoft Process Explorer and find the link to autorun through CTRL + F, we complete this process;
  4. now it remains to delete all files from the root, except for this folder.
  5. go to the folder and move its contents to a higher level, i.e. to the root of the flash drive.

So far, that's all I have. Hope to update you soon

Treatment of the virus from the reader (The method does not work. Revised on 10/02/2015)

Thank you very much! I think the information will be relevant for visitors!

By the way, this virus somehow gradually died out in our country. Everyone copied the script that he wrote above to check the flash drive, each time they were cleaned and checked. And people who always bring in infected devices refused to take them. And so we defeated this infection.

It must be flash drives that are most commonly affected today, being the most common devices. Any viruses, "rootkits", "trojans" primarily attack this type of media. Often, after the drive is infected, the user notices that folders and files on the flash drive have become shortcuts. In this case, it is not possible to extract or read information from the directory or file. Of course, no one will forbid formatting the drive and getting rid of the problem in one fell swoop, but if the file system stores important data, this option is not possible. Why and how to deal with this problem? This will be described in the article.

About viruses and users

An ordinary user, faced with a problem, proceeds as follows: he simply clicks on each shortcut in an attempt to gain access to at least one directory. The second scenario is formatting, which does not solve the problem, and if it does (in the absence of important data), then not for long.

Remember, the information from the flash drive does not disappear anywhere. All folders have become shortcuts, and the folders themselves are hidden, but not deleted. The data remains in place, but the virus has masked it, trying to pass off links to launch malicious code as original content. It follows that these links should not be clicked, even if they open the desired directory. Usually a malicious program that refers to a special service file, where two commands are nested. The first one loads the virus into memory and copies it to the hard drive of the computer, the second one opens the directory required by the user.

But do not think that if the files and folders on the flash drive turned into a shortcut, but did not open, the virus did not penetrate the local machine. Most likely, the malware has already moved onto the user's computer. This possibility is excluded only if an antivirus with the latest virus databases is installed in the operating system from removable media or installed.

manual ways

Before restoring the original appearance of directories, you need to remove malware. This can be done manually or automatically. In the first case, you need to find out where the virus program file is located.

Right-click on the shortcut and select "Properties". Pay attention to the area with the name "Object". Here is the full path to the program that launches the virus. Just because of him, the files on the flash drive became shortcuts. In almost all cases, each label will refer to the same data area on the storage medium. It should be removed. If the malware is located in a directory that was created by itself (that is, this directory was not on the flash drive before), you can delete all its contents.

In addition to the flash drive, also check the directory roots:

  • C:\Users\UserName\AppData\Roaming.
  • C:\Documents and Setting\UserName\Local Settings\Applications Data.

If you find any executable file (with the exe extension) in them, most likely your computer is infected and you need to use an antivirus program.

specialized software

If the files on the flash drive have become shortcuts, then in order to completely get rid of malware, and at the same time to make sure, you need to check not only the flash drive, but the entire computer. At the same time, malware often injects its code into an antivirus already installed on the machine, so it is best to use a special boot drive that can be easily created. Moreover, the developers of anti-virus screens themselves contribute to the development of this segment of applications.

Creating a bootable CD

Even a novice user can handle this task. The algorithm of actions is as follows:

  • Download Dr.Web LiveDisk from the developer's official site.
  • Download UltraISO and install. At the same time, during the installation of the application, its functions will be integrated into the explorer, which will make the burning process the simplest.
  • Double-click the LiveDisk image file with the left mouse button. The UltraISO window will immediately open. The user will only have to click on the "Record" button, after inserting a blank disc into the DVD-ROM.
  • In a few minutes, the boot drive will be ready.

Create a bootable flash drive

There are times when files on a flash drive have become shortcuts, but there is no empty disk suitable for recording at hand, or a CD drive is not installed on the computer at all. Then you can create a bootable flash drive. Moreover, this procedure is simpler and faster than burning a CD.

  • Download the Dr.Web LiveDisk distribution kit for USB drives from the official website.
  • Run "drwebliveusb.exe" (preferably run this operation as an administrator).
  • Don't forget to insert your flash drive into the USB port.
  • From the drop-down menu, select the device to which the LiveDisk will be written.
  • Check the box next to "Format" and click on the "Create LiveUsb" button
  • After completing all processes, click "Exit".

Preparing to download

After or disk, you need to configure the BIOS. To enter the configuration utility, you will have to press the "DEL" key (less often - "F12") at the very initial computer boot screen. Watch the messages that appear on the screen to understand which button is responsible for entering the BIOS. The required string will look like: "Press [button name] to enter setup".

After entering the BIOS, go to the "Advanced" or "Boot" tab, and in the "First Boot Device" line, select "CD-ROM" or "USB". To exit and save your changes, go to the "Queet" tab and select "Exit and Save". The computer will automatically restart and start using the device that was previously specified by the user as the system device.

Computer check

If there are shortcuts on your drive instead of folders, it will be impossible to restore folders on a flash drive without a full scan. Of course, you can reset the attributes and save all the data in a different place, then format the device and forget about the problem, but this solution method cannot be considered complete, because it is impossible to track the operation of the virus. It is likely that he is already in full force "host" on the computer.

The initial screen of the LiveDisk bootloader will display a menu with options:

  • Safe mode (safe mode, which can help if the previous option does not work).
  • Testing Memory (checking RAM).

    • You must select either the first or second item.

    Wait for a while until the desktop is displayed. At the same time, the Control Center should automatically launch. If this does not happen, click on the analogue of the "Start" button, which is located in the lower right corner of the desktop and looks like a spider, select "Control Center".

    In the top menu of the window that opens, you will need to click on the "Tools" item and select the "Settings" line. The first tab will provide a choice of actions applicable to dangerous objects. Set each line to "Delete".

    The second tab is called "Scanner". At the bottom there are two input fields. The first sets the maximum size of scanned files. Here it is better to set the value to "0" to disable the restriction. The second sets the maximum number of checks for one file. It is recommended to set the value to "5". And be sure to check the box next to the "Scan archives" line. Once configured, the window can be closed.

    In the "Control Center" open the "Scanner" tab and select "Custom Scan". Here, check the boxes for all drives and click the "Scan" button.

    The test time depends on the size of all hard drives and their speed. Stock up on patience. After completing the check, click on "Exit". Don't forget to change the values ​​in the BIOS to those that were before starting LiveDisk.

    Restoring Attributes

    If folders have become shortcuts, the solution to the problem lies not only in checking the computer and drive for viruses. After removing the malicious code, you need to return all files and directories. As noted earlier, they remained on the flash drive, but are hidden from the user. A simple change in the attributes made it appear that there were no directories. The same simple change will allow the content to be displayed again. There are several ways to help you perform this operation.

    Method one

    Open a Windows Command Prompt. For this:

    • Click on the "Start" button and select "Run".
    • In the input line, type "cmd" and click on the "OK" button (or just press "ENTER" after entering). A command prompt will open.
    • First, enter the command "cd / d X: \" into it and press the "ENTER" key. Replace "X" with the letter of the drive installed in your computer.
    • With the next command, enter "attrib -s -h /d /s".

    After completing the above steps, the files and directories will return to their rightful place. You can continue to work with them, as before the virus attack.

    Method two

    If the files on the flash drive have become shortcuts, you can automate the process of resetting the attributes to the initial ones. But for automation, you will have to do a simple procedure:

    • Open notepad. This can be done from the Start menu, following the path "Accessories - Notepad", or by typing "notepad" in the "Run" window.
    • Type "attrib -s -h /d /s" in notepad.
    • Click on the inscription "File" in the top menu of the program and select "Save".
    • Specify a name for the saved file, for example: "name.bat". Be careful: you must write "bat" after the dot, otherwise the file will open in notepad, which will not lead to the desired result.
    • Move the saved file to the root of the flash drive.
    • After copying, just run it like any other program.
    • The file can be left in case a virus settles on the flash drive again.

    Prevention

    If shortcuts appeared on the flash drive instead of folders, but this is not the first time this has happened, a great way to secure your machine is to disable autoload from all devices, be it even a USB drive, even a hard drive, even a DVD drive.

    The fact is that when you connect any drive, the operating system reads the list of files. This is very convenient, because you can set it up so that when you install a music disc, the player automatically turns on, and if there are a lot of text files on the flash drive, its contents are automatically displayed in Explorer. But if "autorun.inf" is located at the root of the device's file system, the operating system ignores any such settings and executes the commands written in this file. You can use this behavior of the OS both for good and for harm, which is what the creators of viruses use. It turns out that at first the code of the malicious program is copied to the computer using this file, and then the machine itself writes such files to each new drive, and the files on the flash drive become shortcuts.

    The proposed prevention option is perfect if the flash drive is often used on different computers. That is, malicious code located on someone else's machine can be written to a drive, but it will no longer spread to the local computer. All that remains is to check the flash drive with antivirus tools and restore the directory attributes.

    In Windows operating systems, starting with Vista, autorun can be disabled in two ways. The first option, which will not work for Windows XP owners, is as follows:

    • Open the "Start" menu and select "Control Panel" from it.
    • Here, find the item with the speaking name "Autostart".
    • Uncheck the checkbox next to the "Use autorun for all media" line.

    The second method is more complicated, but it can also be used if the files on the flash drive become shortcuts, and Windows XP is used on the computer:

    • Open the Start menu and select Run.
    • In the line of the window that opens, type "gpedit.msc" and press "OK" or "ENTER". The Group Policy settings will open.
    • In the left part of the window, expand the path "Computer Configuration" - "Administrative Templates" - "Windows Components" - "AutoPlay Policy".
    • The possible settings will be displayed on the right side. In the drop-down menu, you need to select the option "Disable autorun", and then click on the "OK" button.
    • The changes will be saved, but will not take effect until the computer is restarted. It is possible to bypass this limitation.
    • Open the Run window and type "gpupdate" into it. A command prompt will open on the screen that says "Update Policy". The operation will be performed for several minutes, after closing the window the changes will be applied.

    The situation looks like this: there were folders on the flash drive, but they miraculously turned into shortcuts, i.e. to files with the lnk extension. When trying to open such a file, a message appears:

    In this case, “Q” is the name of the removable disk (flash drive), yours may be different. The shortcut directs us to a folder with an executable file (exe extension), which is a virus.

    What exactly happened: as a result of the virus, all folders were assigned the "system" and "hidden" attributes, i. they remained on the flash drive, but we cannot see them using the Windows GUI. Instead of folders, shortcuts appeared with the same names leading to the file with the virus.

    What to do if folders have turned into shortcuts? Step-by-step instruction.

    On the Internet, I came across a solution to the problem by changing the attributes of folders (in fact, a folder is a file) using the command line. For those users who are not friendly with the command line, I suggest an alternative way - I used the FAR Manager file manager for this purpose. This manager is always convenient to have at hand and we have already used it when editing the hosts file (Video I can’t log into classmates. Problem solving).

    Step 1. We check the flash drive for viruses. I checked with AVAST 4.8 Professionl antivirus. Removed all the "left" shortcuts from it, saying that it was the LNK Trojan.

    Avast removed all "left" shortcuts

    If your antivirus leaves folder shortcuts in place, delete them yourself, they are not needed.

    Step 2 Download FAR Manager, unpack the archive and run the Far.exe file;

    Step 3 Go to a removable disk (flash drive). Use the keys to select a drive. Alt+F1;

    All hidden system files (left panel) are highlighted in dark blue - these are our "disappeared" folders.

    All hidden system files (left panel) are highlighted in dark blue - these are our "lost" folders

    Step 4 In order not to change the attributes for each folder individually, specify them all at once: first select the first file from the list, and then press the key Insert on the keyboard and hold until the names of all the files of interest to us are highlighted in yellow.

    Selecting a group of files in FAR Manager

    Step 5 Press the F4 key on your keyboard (or the Edit button in FAR). In the menu that opens, remove the signs (question mark, cross) in the items:


    If you did everything right, the color of the filenames will change from dark blue to white.

    After changing the attributes, the color of the folder names turned white

    Now you can go to the flash drive from under Windows and make sure that everything is displayed without problems.

    After changing the attributes, all folders became available again

    I advise you to keep the FAR Manager file manager always at hand, so it will allow, if necessary, to bypass Windows restrictions on changing files.

    As you understand, with the help of FAR Manager, you can also do the reverse procedure, i.e. hide your files on a flash drive from inexperienced users.

    In conclusion, I want to say thanks to the programmer Evgeny Roshal, who created the FAR Manager and the well-known RAR and WinRAR archivers.

    Evgeny Mukhutdinov

    Fitting © 2022 Design and interior of apartments