Virus! My files turned into shortcuts (Solved) – Updated August 2014


Originally posted on October 11, 2010

Lots of people are having the same problem with a damn virus. It spreads via USB memory sticks or external hard drives, and “converts” all the files into shortcuts.  Fortunately the real files are still there, but you are unable to see them. We will fix the problem in four simple steps.

PS: Don’t worry if my pictures are in Spanish. I’m gonna explain all the steps in English, and the process is much simpler than it looks.

Step One

Windows has the bad habit of hiding certain files and their extensions. This may help novice users to avoid confusing them, but presents serious drawbacks. You may, for example, run a dangerous program called  “photo.jpg.exe” because you only saw the “photo.jpg” portion of the name.

For that reason, and also to help fighting this memory stick infection, you need to make all files visible. The following steps apply for Windows XP, Vista and 7.

  1. Click on Start
  2. Click on Control Panel
  3. Pick Folder Options
  4. >Click on “View” tab
  5. Clear the following check boxes:
  6. Clear the check box “Hide protected operating system files (Recommended)”
  7. Clear the check box “Hide extensions for known file types”

Click Accept to apply the changes

Step Two

We need to make sure that your computer is clean from the infection.

If a healthy USB memory remains clean after plugging it in, this means your computer is clean and you can jump directly to step three.

If a healthy USB stick gets corrupted after being used on your computer, that a sign that the virus is running on your system and your antivirus is not doing it’s job. Use the update function  your Antivirus. If the antivirus still fails to catch the infection even after the update, you definitely need to use another product.

Some users are reporting that their current Antivirus brand was unable to detect and eliminate the infection. I like the products from Avira, Kaspersky and Dr.WEB. The first one offers a Free version, the others offer 30 day trials. But please STOP: Before start uninstalling and installing things, follow this whole guide in order to test if your current Antivirus get rid of the infection. Also to avoid incompatibilities and system problems Do NOT install more than one (1) antivirus program on a single computer.

—————————————————————–

August 2014 Update

Some users are reporting that no matter what antivirus they used, the virus kept running. For those still having issues:

  • Open Task Manager (Ctrl+Alt+Del)
  • Go to the Processes tab
  • Look for WSCRIPT.EXE that is currently running.

But wait! Before ending the process, right click on the virus name and pick “Open  File Location”. After the Windows Explorer tab pops up, you can end the process.

Step Zero

Let’s go to our new Explorer Window. When you try to delete the virus executable file, an error will occur.

Cannot_Delete

Don’t panic, this is normal. As strange as it sounds, we need to take ownership of the file. Right click on the file and select “Properties”

Step A

Now on the dialog box that appears:

  • Pick “Security” and then “Advanced”
  • On the new dialogue box, pick “Owner”
  • In the example screenshot you will see that the virus changed the Current Owner to “TrustedInstaller”. So, from the list called “Change Owner to:” pick your Administrator name and click OK.

Step B

Now  that you own the virus, let’s go back to the beginning

  • Again, Right click on the virus file
  • Pick “Properties”
  • and again “Security”.
  • But this time, on the dialog that pops-up click on “Edit”

STEP C

A new (almost identical) window will pop up.

  • Click on “SYSTEM” and deny “Read & Execute” and “Read”.
  • Repeat the same operation with all the elements of “Group and user Names”

Step E

You will not be able to delete the file, but don’t worry. The computer will not be able to run this virus executable file.

—————————————————————–

Step Three

If step one and two went great, you should be able to see your files again. Unfortunately they are still marked as “hidden” (hence the ghostly look of the icons). We are going to fix that in a moment, but first we are going to delete these crappy shortcuts that were created by the virus and have nothing to do with your real files.

Proceed to delete the shortcuts, the Autorun.inf, any .vbs or .exe file, in fact delete everything you don’t recognize as yours.!

Needless to say, be careful, do not delete your legit files.

Step Four (Last one!)

To permanently change the properties of your files and return their appareance back to normal we need to open the Command Prompt.On Windows Vista and 7:

  • Click on Start
  • Type cmd in the first box you see
  • Press ENTER

On Windows XP:

    • Click on Start
    • Click on Run
    • Type cmd
    • Press ENTER

On the black Window that appears -technically called the Command prompt- write the commands shown on the picture. Don’t forget to replace the letter X with the letter of your infected drive.

For example, if your affected drive letter is F then the command should be attrib -h -r -s /s /d F:\*.*

After writing the command hit enter and wait a few seconds while the changes are made.

Done!

Go back to the file explorer and see if the file attributes are back to normal.

Now that your issue is solved, why you don’t relax for a while checking the other sections of this site?

370 thoughts on “Virus! My files turned into shortcuts (Solved) – Updated August 2014

      • hi.. i am having a little trouble in this… the steps u provided worked fine for a drive which nis a part of my har disk partition. but for a pen drive from it does not work. i followed the same procedure in both the cases but it didnt worked for the pen drive. pls tell me some way to remove this problem… whenever i add any files to the pen drive it is replaced by a shortcut.. although i can still access the contents with no damage done but it always takes time and the base address of the shortcut lies somewhere in the C drive(i.e. the drive where i have installed Windows 7)
        please help me in this! thanks !

      • This is great! I followed everything from Step 1 to 5 and they all worked. Here:

        1. Stop the script from running, via task manager
        2. Locate the VBS file in your local user via REGEDIT
        3. Delete the VBS file in your local user
        4. Delete the key reference (the one that you just saw in REGEDIT)
        5. Simply run Command prompt and enter the command “attrib…” (make sure you use the same Drive Letter)
        6. Go to your USB, then right-click > Prperties > Read-Only (here you will see that “Hidden” is clickable already which before was not clickable). Then Apply!
        7. Then you can smile now. Problem Solved! Very good reference! Compared with the others I checked, this one is really good. Great post!

      • I can’t do step 5 either. After i type the command and hit the enter button , all the files will be back to normal but after a while all the shortcuts will be visible though i have already deleted those files and the original file will be in hidden form, what should i do ?

    • Hi guys. thanks a lot, just wanted to add to this post that also delete from registry folder named ulbloqmeed under hkey local machine ,please add it to the orginal post and thanks again

      Itai

      • Hi Itai, ulbloqmeed.vbs is just one of the names that this issue could be called, but this is still the .vbs file that would be deleted by following the instructions

  1. Thank you!!! I wanted to print a file (using a pc in the university library) and my USB stick was infected. Thought I lost one semester’s work for my PhD and almost got crazy! Instructions were easy to follow and accurate enough. My files are “restored”. Thank you

  2. IT WORKED , SAVED MY 500 GB IMPORTANT DATA SAVED MY LIFE..THANKS AAAA LOT ,GOD BLESS U.
    ANY NEW IDEAS LIKE THIS……….IS WELCOME

  3. Hi there! I’m so happy I found this site :). Just one question: even after making visible all the files, the only files I see are shortcuts… do I delete them all? I can’t see any of my own file and I’m afraid of deleting all my data … So go for it or not? Thank you so much!

  4. Thank you so very much. This helped me save all of my work. I’m currently backing everything up! I can’t thanl you enough.

    • Oops, got passed $RECYCLE.BIN folder by run as administrator before start cmd.exe. But then, got stuck again with a file called gencomp.dll in another folder. Need help!!!

      • Ah, no worries! I didn’t wait enough. Seems only two of files (or folders) that have access denied; gencomp.dll and System Volume Information folder. The rest got unhidden. Well, better then switch all of them manually. Thanks, Felipe!!!

  5. it still doesnt work for me! i had it formated and it still does it! maybe the USB infected my pc could that be it?

    • Hey plug ur sd card and just go to task manager by ctrl+alt+del and there go to details and then delete wscript.exe…and jst make sure the file does’nt exist there

  6. now i wont have to copy the files to my pc then copy it back to my memory card .. thank you .. you saved my anime’s :)

  7. why it is not working? the command prompt, i followed properly.. it is said that attrib is not recognized as internal or external command, operable program or batch file

    • HEy typr cmd then type cd X: change the X of the drive letter of yours then type this after doing that attrib -h -r -s /s /d F:\*.* the wait but also replace the letter F with the letter of ur drive ( sd or flash drive )!! if you did not got it your idiot // !!!

  8. I have just one little problem, after doing everything the autorun.inf file keeps coming back and I’m using windows 7, trying to work on my blackberry memory card, so sad, I lost all my pictures, videos and songs too

  9. hey thanks i recovered my files
    but when i try to delete those shortcuts a dialogue box shows up “file in use” the action cant be completed because the file is open in Host process for Windows Services

    what to do

    and i think my pc is infected too
    everytime i connect any usb..same annoying shortcuts..i have avast internet security

    • Hello Veki
      It’s evident that Avast is not doing its Job. I don’t like to talk about specific antivirus to avoid endless discussions, but if you ask me I would recommend Kaspersky (there’s a free trial version on their site). Microsoft Security Essentials is a good permanent free alternative.

  10. Hi, I believe it works for others but I’m getting “Access Denied” return on each folder…how do I adress that?

  11. thank you, it seems the problems are gone…used Malwarebytes (maybe there are better products out there) free trial, and did the job for me after disabling autorun

  12. One question, under step 4: Step Four – Now that your vision is restored, delete Autorun.inf, and everything you don’t recognize as yours. Delete the shortcuts too, because they are part of the infection and not related with your files, even if they have the same name.

    Where are you referring to when you recommend file deletions? The infected USB or the harddisk with Windows OS or any other hard disks (external or internal) attached to the computer? Please specify as all I can see from my infected USB drives are (1) files that ended with ..vbs, exe, and (2) movie files that I copied previously into the drive which became un-recognizable now. Thanks.

  13. ah sir mine is different there is no autorun but it has .vbs something when i search it in google i cant find it and when i delete it, it will pop up again in mattter of seconds

  14. For the last step, there doesn’t seem to be any ‘X’ that appears on the black screen that comes out. All it says is C:\Users\Z226>_
    That’s it. How do i finish the last steps please? Because i just deleted ALL my files and i need them for real.

  15. Sir, I did recover file but i still can’t delete shortcut. It says open in Host process for Windows Services… please reply me. how to delete that shortcut

  16. i tried what u said, but the HAMZA.vbs file keeps reappearing even after i do delete it. when i try plugging any of my pendrives it affects them, due to which i believe the problem lies in the system. please help me :( MalwareBytes did not detect it ._.

    • I’m sorry to hear that Britney. I don’t like to recommend a specific antivirus, but there are lots of free trial options like Kaspersky or Dr. Webb. They will be sufficient to get rid of the problem

  17. okay, guys please help me :)
    i am using windows 7, Microsoft security essentials (just updated).
    there is an autorun.inf in my usb flash drive.
    I tried to delete it and it says access denied. administrator permission required (I am the administrator but it didn’t ask for my password). when I tried the cmd thing you suggested I got this:

    access denied – G:\AUTORUN.INF

  18. i tried doing this, it turned my files back to normal but when i reinsert it it turns back from being a shortcut, please help me.. what can i do?

    • 1. Disabled “Microsoft Windows Based Script Host” on Star Up
      2.Open Task Manager Find “wscript.exe” And End Task That File
      3. Follow Step Three to Step Five Done.. !

  19. i tried doing this, it turned my files back to normal but when i reinsert it it turns back from being a shortcut, please help me.. what can i do? What can i do?

  20. Kaspersky works. I installed the trial version and instantly removed the virus. My PC is now completely cured. Instructions were a great help. Thanx

      • the same porblem i have here man..the vbs and shortcuts reappear again despite i did everystep u wrote down so carefully…and my blackberry memory card still doesnt want to show any pictures or songs..any help!?

  21. I done all the step and I found out that there were some Infected objects in my comp then deletes it etc.. but the problems is whenever I reinserted my flash drive again my files just came back being a shortcut icon. should I reformat my comp now?

  22. when i was searching for answers for the virus,first i looked in youtube the found a solution just like this,but the video i found DOESN’T HAVE STEP2 written in this page,when i did the FF steps in the video,the shortcuts dissapeard but sadly the effect does only 4,5,7,9 seconds maby , is that what you get when you don’t do STEP2???

  23. thanks fo helping. well, I did all the steps correctly but im having a problem it shows my files just for temporary then goes back to the shortcut virus again….i want it gone permanently. HLP ME PLEASE!

  24. I’m using AVIRA antivirus , deleted the vb scripit file but after a few seconds it comes back. and again and again. help me pls.

  25. Hello :) I just wanna share, I clear the virs via USB Disk Security. At first I have done it but the Virus always come back, but after I have done the Step Two and end process the wscript.exe in the Task Manager, I Delete again the Malware via USB Disk Security then it didn’t come back. I don’t know how to explain it how does it happen but it really works :))

      • Hey , Just show the hidden files and type the cool.vbs in Search programs and files or Run. when there is cool.vbs appeared just delete it and empty your recycle bin. Try to connect your drives. If the virus is gone ! Then Reply Tnx :D And if not Find another solution.

  26. For those still having issues and it and cannot stop it, then

    open Task Manager and End Process for any WSCRIPT.EXE that is currently running. (This will stop it running, now you need to stop it running again next time you start your computer)

    You then need to open REGEDIT and check for any reference to starting a .VBS file at startup from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you find a key that runs a .VBS file at startup then navigate to the folder it is running from and delete that .VBS file, then go back to REGEDIT and delete the registry key referencing the .VBS file. (This will stop the Virus from running and again at startup, now you need to fix your Flash Drive\USB Device)

    Follow the instructions above.

  27. Oops it doesn’t work for me… maybe my computer is infected (but I update my anti virus and did a full computer scan and it says zero files infected). The moment i delete all the shortcuts they reappear..
    Any other idea will be appreciated….
    Thanks

    • OCTOBER 10, 2013 – 1:27 AM
      Grafik Krime
      0 0 Rate This
      For those still having issues and it and cannot stop it, then

      open Task Manager and End Process for any WSCRIPT.EXE that is currently running. (This will stop it running, now you need to stop it running again next time you start your computer)

      You then need to open REGEDIT and check for any reference to starting a .VBS file at startup from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you find a key that runs a .VBS file at startup then navigate to the folder it is running from and delete that .VBS file, then go back to REGEDIT and delete the registry key referencing the .VBS file. (This will stop the Virus from running and again at startup, now you need to fix your Flash Drive\USB Device)

      Follow the instructions above.

  28. Hmm thnx dude, it really work
    but there is still one problem , my original files displayed but there is also again and again link files displayed even i dell it then again display link too, with original file..

      • For those still having issues and it and cannot stop it, then

        open Task Manager and End Process for any WSCRIPT.EXE that is currently running. (This will stop it running, now you need to stop it running again next time you start your computer)

        You then need to open REGEDIT and check for any reference to starting a .VBS file at startup from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you find a key that runs a .VBS file at startup then navigate to the folder it is running from and delete that .VBS file, then go back to REGEDIT and delete the registry key referencing the .VBS file. (This will stop the Virus from running and again at startup, now you need to fix your Flash Drive\USB Device)

        Follow the instructions above rom Felipe to recover your USB.

    • Read and follow the instructions correctly, if you do so the items will not be there and you will then see your hidden folders and it will be resolved. the only reason this will not work is if you have missed a step, like stopping the .VBS file from running and making sure its gone after a restart of the PC

  29. im on windows 8 and i found the .vbs file in the registry but could not find it in its location for me to delete it. Also , i could not find WSCRIPT.exe in task manager

  30. thank you very much indeed,was trying to fight this off for a long time,however would also be obliged if you guys could mention a tweak for the same in win 8.

    • Sorry I don’t use or ever intend on using Win 8 but the same principles should apply though, so hopefully someone that uses win 8 can add to this if they organise a fix.

      1: Stop Process and delete the .vbs file
      2: Stop it restarting again (Modify Registry)
      3: Change attributes
      4: Delete fake Shortcuts

  31. i cant understand this part “then go back to REGEDIT and delete the registry key referencing the .VBS file.”
    i dont know which exact registry key to delete

    • It’s very simple John,

      Open regedit

      click on HKEY_CURRENT_USER\

      click on Software\

      click on Microsoft\

      click on Windows\

      click on CurrentVersion\

      click on Run

      And delete any entry that makes reference to a VBS file

  32. It works. I tried following the removal suggestions at the avast! forums but I just could not keep up with some of the more technical steps. It also required a lot of suggested cleaners from the users. This is a simple process that gets the job done.

    Now, I have some folders on my laptop that I cannot access. Some of them have padlock icons on the lower left (or was it right?) and some are slightly transparent. Should I delete these?

    Thank you very much!

    • HI Savan, they appear to be system files, if you go back to File and Folder options and turn off show hidden and show system files you will no longer see these.. as far as I know you should not delete any files for this infection apart from those on the infected USB only, well not unless you copied them to your desktop from your USB for some reason.

      Hope that helps

  33. Can you make a tutorial on how to remove the Recycle.bin Type virus i have a problem of it popping up again and again. i had malware installed and it cleaned a whole lot but it still keeps coming back! i need help on how to remove this!! i checked the other ways of removing it (REGEDIT ON SAFEMODE) and it still there!! aaaaaahhhhhh!!

    • Hi Eymuresu, when you mention the “Recycle Bin Virus” are you referring to the same virus mentioned here, ie it hides all of your folders and creates shortcuts for them, making you think your USB is empty or is your computer freezing with pop up windows, anti virus not working, being re-directed while browsing the internet etc, there are 2 possibly 3 separate viruses that you could be talking about here? Hopefully you don’t have more than 1 of them.

      Now the recycle bin virus is a bad one as it will kill the Antivirus program your running. Again this will depend on which version of windows your running but possible fixes are available below.

      Windows 8: http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/how-to-remove-recyclebin-system-volume-information/473cde05-a750-43a4-aa11-f52b0977b6b7

      Windows 7: http://answers.microsoft.com/en-us/windows/forum/windows_7-files/all-hard-drives-show-recyclebin-system-volume/1e457dd0-a34f-479d-9b77-c07071194ae3

      Other versions: your on your own.

      I believe that “ComboFix” malware protection might also be your answer once you stop the virus running on your pc you will need to then run this on your EXT hard drive to clean that up as well: http://www.combofix.org/

      • HI Felipe, there are a couple of different variations on this type of virus, the one you and I have covered the fix to here is the lesser of 2 evils,

        The recycler\recycle bin virus can cause major issues, complete loss of data, computer freezing, web browsing redirection, gathering personal data, etc again it activates by an autorun.inf file from a USB device, which places a “recycler bin, “resycled bin” icon on your desktop acting like your “recycle bin”, it also modifies the desktop.ini file and generally starts other programs on mouse right click. There are multiple varieties out there, its quite an old virus\malware but modified every now and again by some idiot. Most decent Virus/Malware programs will catch these if its up to date, well that is unless you are infected with the SHH/UPDATER virus, that will kill\stop all automatic updates to your pc especially your antivirus, also it cause issues with manual updates and then run rampant on your system

        Me personally I dont allow any drive to run any autoruns at all, and delete them when I see them, especially from a USB device that is used on multiple pc’s unless I know what it does, I just like being safe an know what’s running and when.

  34. I donwloaded the “malwarebytes” I runned it and… Nothing. I unhided everything and deleted the shortcuts but they kept coming back right after it was deleted! I followed the “command” process in which I was succesful! But the shortcuts would’t go away even when I tried to delete it again and all my media stil hasn’t appeard on my blackberry! Please – I need this issue to be resolved.

    • Hi Jurie\Felipe

      If you are infected with the issue that Felipe has covered here then the solution posted here will fix this issues for you, if it keeps reappearing then you will have missed one step in the process, ie stopping it running or stopping it from running again on restart, or you have not deleted one of the infected files and keep accessing it which will start the process again. Yes, Felipe is right that it appears this virus is being adapted and changed, so it is likely at some point the above fix will stop working altogether but I don’t think its there yet

      Does you Blackberry storage have a file called autorun.inf on it? if so then follow the above steps and then make sure that file is deleted. the Autorun.inf file could be infected and will start every time you plug the storage in, if allowed to by the computer that is.

      Also just so you’re aware, I have an infected USB file here that I have tested with Malware bytes\Avast\WSE\Norton and a pile of other Antivirus\malware utilities and as yet not one of them has fixed the issues, so for now its a manual process

  35. I wanna ask, after following all the steps,can i just delete the existing shortcut folder?will it affect my files?? btw thank you for solving my problem :)

  36. You saved my life… not actually.. but i was about to format my whole system and reinstall windows and everything until i came upon this page..
    That would have been painstakingly annoying.
    Thank You Grafik Kaime.. the Registry edit thing worked. :)

  37. thank you so much ,, from my heart it works ,,,, u are much blessed my fren,,, really thank you from my two hands ,, i dont have much to give you , but this is what makes you an angel , u did save me ,, <3 <3

  38. Thank you very much this article SAVED me from reformatting my laptop (:

    also, just a tip… if you guys can’t find the .vbs file… go to folder options and unhide the protected operating systems file, that should make you and your antivirus find it :D

  39. Thank you so much! It finally worked after pressing CTRL+ALT+DEL and removing all .exe files that were running.

    The only problem I faced is that it didnt work at first, I had an error : “Attribute Utility stopped working” everytime I initiated the command via CMD.

    Here is a little tutorial for the ones who have this issue, I had a process running that had as description:
    “Flash game you run forward as an alien in outer space. You can run and jump on the floor, walls, and even the ceiling.”

    This was corrupting all my files, even my explorer.exe, very nasty. What I did was first, replace my explorer.exe with a clean one (search on google for this).

    Than, I installed Malwarebytes anti malware, however the virus was so nasty it didnt let the program run. The reason for this was because its initial name was mba.exe or something like that. So what I did was go into C:/Program Files/Malwarebytes anti malware/ and rename the .exe to Explorer.exe (then the virus allows it to run).

    So then you let it scan your hard drives, and delete all trojans and restart.

    After that, the virus is still active on your C so what you need to do is press CTRL+ALT+DEL and search for the virus in your processes. Usually it has different names, in my case it was 8T34D.exe. ( look at description at the right hand corner to see “Flash game you run forward as an alien in outer space. You can run and jump on the floor, walls, and even the ceiling.”)

    You can right click on the running process and press “Open location” and usually its in your program data folder or somewhere very deep.

    You can also Search for this file simply by using the search of windows itself. Once you find the file, stop all processes in the task manager and delete the virus. Than, you run the CMD and do the attrib thingy that is explained above at this page.

    Your files should appear, however, be aware that you are not done yet. You need to scan your ENTIRE C for any leftovers that might fuck up your system again. So use malwarebytes anti malware do a full scan on your C and delete all trojans, viruses, malwares etc.

    I cant promise that you’re safe, keep alert, check your processes from time to time and backup your files. You never know when a virus hits you.

  40. Dear Sir,
    I’m using windows xp.I try the way you tell but there is problem The shortcut file are converted into their real one but after ejecting when again i connect my pen drive it shows the same problem & please tell me how can i format my pen drive and how can i delete this shortcuts.

  41. KUCH NHI HOTA H SAB FAKE H AUR I HOPE U HAVE COPIED ABOVE GIVEN STEPS FROM ANOTHER SITE….DEFINITELY WOULD LIKE TO SAY THAT “””” NOTHING HAPPENS “””””””……….

    • There are two possibilities: One, the virus was already neutralized. two, the virus has another name.

      Check if the files stay normal after finishing the steps. If the files keep being altered then the virus is still running under another name.

  42. my problem is that a day ago,i found that all my files in flash drive have changed to shortcuts….and when i do the task manager step,i find a file “winlogon.exe” appearing 2 times…n no wscript.exe file running…so is it the alternate name for wscript.exe or is it something else…??

  43. my problem is that a day ago,i found that all my files in flash drive have changed to shortcuts….and when i do the task manager step,i find a file “winlogon.exe” appearing 2 times…n no wscript.exe file running…so is it the alternate name for wscript.exe or is it something else…??

    and when i do the –This will stop the running virus, the next steps are for preventing it from running again next time you start your computer) step,i dont find any file that ends with .vbp but the same “winlogon.exe” file running….

    • Hello Patient

      Looks like your virus version changed name. Winlogon is a genuine windows process, if you see the name two times probably the virus is imitating it.

      Click on Start, on the box that appears (were you previously typed Regedit) type msconfig and tap enter

      On the dialog box that appears go to Startup tab and look for suspectful names. If the virus hiding capabilities aren’t good enough you wil probably find it on the list. Disable it and check if it appears next time as the repeated item.

      Remember, Winlogon is also a genuine process.

      Also try removing your current antivirus and installing Avira as the instructions say.

      About the Ajaz’s comment, naturally the virus developer will keep it evolving because it’s his/her business. Thinking that my steps will work every single time is absurd because viruses are not my business, I’m not an Antivirus company I don’t have the time or funds to keep chasing them. A bit of creativity from the user is also needed!

  44. @Felipe La Rotta,this time i did what u siad n i found that the name “winligon” was coming twice again but i found something else called “winlog”
    n pleez dont get irritated with my questions because i’m a student of class 8 only…
    i cant even suspect because i know almost nothing about viruses etc….
    …so pleeeeezzz help….
    if its appering twice then is “winlogon” the virus??

    • Don’t worry man, perhaps excuse me too, I was irritated by the other comment.

      Is hard to tell from here without knowing each file route. Did you tried installing Avira? Maybe it will detect the malicious element for us

  45. thanks thanks thanks
    my pendrive is showing shortcuts to every file and having a hidden .vbs file and my problem was solved after a long battle of 5hrs and i succeded to remove shortcut icons showing even after formatting.
    thank u sooooooooooooooooooooo much

  46. Hi Bro.
    I noticed that lots of people thanked you so I wish to have hope that I will join the list.

    In the main time, my memory card was invaded by this virus 2 months ago and there is nothing I haven’t done:
    * Updated my Antivirus
    * Made all files and extensions visible
    * Checked but found no “wscript” in the Task Manager
    * Checked but found no “vbs” file in Regedit
    * Even did some Command stuff “attrib -r -s -h /s f\*.*” that was supposed to make the files visible but instead got a “Not Resetting System File” response.

    I am messed up now. Can’t format cause I have files I need there.

    Note: This is only restricted to my memory card, I have inserted it in my pc even when there was no Antivirus and when there was, more than 40 times in the last 2 months but my pc remains okay, all my files still there – no shortcuts. Its only my memory card that’s badly infected.

    Observation: All the files in folders inside the memory card all can be retrieved cause the shortcuts open in a separate window when clicked. But the files on the root of the memory card are permanently on shortcuts.

    Awaiting your advice. Thanks in advance.

    • Hello Franklin!

      Looks like the damn virus is improving. I made a quick Google search about the “Not Reseting System File” and they suggest to use each command by separate. Let’s say that F is your damaged drive letter:

      attrib -h -r -s /s /d F:\*.doc (and tap enter)

      attrib -h -r -s /s /d F:\*.avi (and tap enter)

      attrib -h -r -s /s /d F:\*.png (and tap enter)

      attrib -h -r -s /s /d F:\*.jpg (and tap enter)

      and so on with every file type

      If that doesn’t work try with each attribute by separate

      attrib -h /s /d F:\*.* (and tap enter)
      attrib -r /s /d F:\*.* (and tap enter)
      attrib -s /s /d F:\*.* (and tap enter)

      Please let me know if it worked for you, I’ll wait for your answer

  47. Hi, I just did that thing to get rid of vbs file but when i go to where its supposed to be it isnt there. It seems it doesnt exist. Should i do the next step which was to delete the thing from the registry editor? Thanks

      • i just deleted the regedit vbs thing but my usb is still doing the same thing. should i carry on with the next 2 or 3 steps?

      • I tried to do the command promp thing but it doesnt work. Also, on your picture of the command prompt it says on the black box documents and settings
        mine says document and settings-user
        maybe thats why it doesnt work cos it has the additional word ‘user’.
        please can u help me, 3 of my usbs are messed up as well as my mobile phone. Thanks

  48. Your post resolved an issue that’s been lingering for 2 weeks! Very well articulated and 100% success rate for me.Thank you!

  49. hai guys pls can u help me with the removing of virus it is irritating me my memory card inserted in usb and then i deleted those shortcus and within a seconds it wil re placing in there place how should i remove this now

  50. I was almost about to re install window when i stumbled upon your article, and needless to say everything is perfect now thanks to you. You saved me man! Take care and thanks. God bless you

  51. Thank you very much. I earned the virus by bringing my USB flash drive to a printing shop. You are a lifesaver mate! Thank you!

  52. WOW THANK YOU!I spent about an hour trying to fix this and the freaking thing would keep coming back. That is until i followed these instructions!!!! THANK YOU! I LOVE U!!!

    • its an encoded script file rather than a standard Visual Basic Script file, so yes this infection from the posts above is evolving a little from when I first posted so I havent seen the new .vbe or vbs files as yet, Pretty sure I dont want to either

  53. hey in my usb there is MS Dos drdflk.vbe which never gets deleted , even after format it always reappears and makes shortcut of original file if it runs in windows 7 but in xp it turns original file into shortcut . i tried everything mention above but still not working. what should i do?

  54. ended process WSCRIPT.EXE, went to REGEDIT: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, but didn’t find any .vbs file. BUT, I find a file which I think is suspicious = • Name: xuhjvihhox • Type: REG_SZ • DATA: wscript.exe//B “C:\Users\edward\AppData\Local\Temp\xuhjvhhox.vbs”

    WHAT SHOULD I DO? (I KNOW I SHOULD GO THERE AND DELETE IT, BUT I NEED YOUR DETAILED INSTRUCTION ON WHAT TO DO) THANKSSSSSS

    • Hi Arvin

      Right click on the registry key you found and delete it, then navigate to the folder C:\Users\edward\AppData\Local\Temp and delete that file, you may need to set the folder to being viewable though as it should be a hidden\system folder. Open Window Explorer, slelect organise (Top Left) Select Folder and search options (opens new window) select VIEW TAB then select SHOW HIDDEN FILES AND FOLDERS, uncheck Hide Protected Operating System files,

      You should now be able to delete the file, unless it is a running process, if it is then open task manager and stop any WSCRIPT.EXE processes, then delete the file.

      once Done go back and set you files to Hidden and hide operating system files again, to easy to make mistakes and stuff something up if your a novices

      • Everything worked like a charm! Thanks a bunch (seriously)! Cuz this virus is such a pain in the ass -.-
        Restarted my PC, checked taskmanager + regedit, and the file is completely gone.

        One more thing, tho. Here’s my situation:
        Yesterday, I wanted to some things in my phone (normal files: .docx, .mp3). When I inserted the USB cable(phone-PC), that’s the time that I found out this .vbs virus. Next day (today), I found your blog, followed your steps, restarted, cleaned the PC.

        Now, I’d like to insert my phone once again to continue transferring some files (I panicked & remove the USB after seeing the virus). WOULD IT BE SAFE NOW TO INSERT MY PHONE AGAIN?

        (btw, i still need to type attrib -h -r -s /s /d x:\*.* in the cmd if I have your confirmation/permission)

  55. hey guys i need help pls. I encounter a Trojan virus name “provide.vbs” this virus infect the usb by creating shortcuts for all the files in usb and hidden the original files. and also i found out this virus stay in PC on “C:\ Documents and Settings\ All Users\ Start Menu\ Programs\ Startup” and “C:\Documents and Settings\User_Name\Local Settings\Temp ” what is the best antivirus that when you insert your usb it can automatically delete that virus.???

  56. Thank you so very much this information. 3 different antivirus software couldn’t get rid of this bugger. I also surfed all over the net for solutions. They were all duds. You saved me from a sleepless night. :)

  57. This worked for my laptop. But on my other computer, i can’t seem to delete the .vbs from its location because it is open in “Microsoft Windowd Based Script Host” … what should i do? thank you!

    • Hi Celine, It looks like the process is still running, if this is the case then you cannot delete the active file until the process is stopped try all of the Steps at the top of the page, you should follow the instructions in regards to stopping the process from running and then delete the link in regedit, after this if you cannot delete the actual file there are a couple of things you could try.

      1: Instead of just hitting the delete key, try right click on the file, then cut and paste it to the recycle bin, then empty the recycle bin, and complete the rest of the steps as per top of page.

      2: if 1: didnt work, then after completing the stop\regedit steps, try restarting your PC in Safe Mode by pressing the F* key during start up, at the black screen and select Safe Mode, this will only start necessary programs from running, once restarted then try to delete the file and complete the rest of the steps as per top of page one again to make sure its all gone. then restart the computer and check everything is good once more

      Hope it Helps let us know how you went
      Regards Grafik

      • I’m sorry for bothering you. As it turns out i had accidently skipped the “ending process wscrispt.exe”. Sorry for having to bother you… Thank you so much you and this post have been of great help! :D

  58. Thanks to admin and Grafik Krime, finally I solved the problem started about a couple of weeks ago.
    Here is the update. In my case, I followed the steps that pretty similar to Grafik Krime :

    Open Task Manager (Ctrl+Alt+Del) and End Process for any wdr201b.exe that is currently running. (This will stop the running virus, the next steps are for preventing it from running again next time you start your computer)
    Click on Start
    Type REGEDIT and Tap Enter
    Click on HKEY_CURRENT_USER
    Click on Software\
    Click on Microsoft\
    Click on Windows\
    Click on CurrentVersion\
    Click on Run.
    On the list on the right find any reference (in my case : ‘W201b Driver’) to a file that ends with wdr201b.exe and take note of were that wdr201b.exe file is located (in my case : C:\Users\YourName\AppData\Local\Temp\wdr201b.exe
    Go to the said location and delete the .exe file
    Go back to Regedit and delete the registry key ‘W201b Driver’

    and then follow the step three, four and the rest.

  59. I accidentally deleted the registry key before deleting the file. Help!..

    I have a “load.exe” file on my memory card and my folders turned to shortcuts.. All of it… Can you please help me

    • Hello Diego

      If the virus is still running in your computer it will restore its registry entry again. If the virus was already terminated by your antivirus then deleting the suspicious .exe file will work (don’t forget to follow the other steps mentioned on the guide)

  60. Hi .the infected drive is my system drive C ….when i do step 5 ….and type attrib -h -r…etc. it says ” invalid switch /c”…any help on this?

  61. Hi..i followed all the steps…i have not found any .vbs files though…..i ran the attrib change…but while running….almost all files had ” access denied” written before it…thus when finished…nothing changed !!……any help please…..and unfortunately i have no restoration points to go to :(

  62. Thank you so much! this helped a lot! taken me almost an hour to configure (not really techie, got lost in translation haha), thankfully, with some luck, i managed to retrieve my files! THANK YOU!

  63. My laptop doesn’t have internet connections at the moment..and the laptop stated I don’t have antivirus that’s y the virus wasn’t detected..now I ddnt know it was a virus and last nyt I connected my blackberry to my laptop to take in some files..I copyd some songs from my laptop to my phone..bt then all of my folders in my memory card turned shortcuts..including the blackberry folder..now my phone isn’t showing any media files even though my memory card is in there..my memory card is still running as I played the downloaded songs and they played..without some songs saying they can’t find it and stuff..bt when I tried to go to the main blackberry folder ,where all media files should be as it was in the memory card,I found that I couldn’t open any file der cz they all were turned shortcuts..including my blackberry folder..and when I tried to open it..it didn’t open cz it didn’t recognise the file/it needs its main folder.. :'( …I need help!! and I can only see my files if I connect my bb to the laptop via an usb cable…bt bt I want my media in my phone.. :( :( :(

  64. i followed the steps but my antivirus program cannot detect any infection i can copy files but shortcuts are being created and cannot be deleted

  65. Dear Grafik Krime, You have helped and given support the entire world free of charge with this post, you are better than people who waste their money donating to NGOs whose directors become filthy rich instead of giving to those poor individuals who want to become self reliant! Give a man fish he eats for a day, show him how to catch fish he eats for a lifetime. Thanks for being an honest human! may God bless you.

    • Thanks Andrew, but the many thanks should go to Felipe La Rotta as he was the one that got it sorted first, I just added a couple of steps after it appears it had morphed a bit. Plus if it wasn’t for Felipe’s webpage here my steps wouldn’t count for anything.

      Good on ya Felipe, glad to see this is still helping others

  66. Thank you very much! At first i skipped through a couple lines thinking i’m too smart to read the entire thing… That was the only mistake. :)
    Thanks again!

  67. Hi. you are doing a great job. thanks alot for your able guidance. i need your guidance on another issue. in my devices there is a device with name I and actually there is not attached device. i tried all the possible ways to del it but its does’t work, plz help me in del this. regards

  68. One of the USB devices attached to this computer has malfunctioned, and window does not recognize it. what does it means and solution? plz

  69. it worked thanxx… now shall we revert the changes made to organise folder section under hidden files and all ?

  70. There is visibly a bundle to realize about this. I assume you made certain nice points in features also. eefeeaagedde

  71. This was definetly helpful.Though my files are still shortcuts i am happy that they open atleast.I appreciate your help and i will surely recommend this site.

  72. I just read your solutions to fixing shortcuts and it really works so im asking for your help in another matter. I have a PC that tells me my software is not genuine and it now has a black screen

  73. หมอตำแย ! ฉัน ต้องการ ให้ มาก นิ้วหัวแม่มือ ขึ้น สำหรับ ดี ข้อมูล คุณได้ ที่นี่ ที่นี่
    โพสต์ นี้ ฉันจะ กลับไป มา เว็บไซต์ของคุณ
    เพิ่มเติม ในเร็ว ๆ นี้ .

  74. Well i works at first but after a while he files turned to shorcuts again unless I used the command for the cmd but after sometime everything’s repeating again and shorcuts keep coming back.. I really hope there’s a permanent solution to this problem.

    • You aren’t following all the steps Elaine, or maybe your particular virus is an improved version. Executing the commands without killing the infection first is useless because the virus will revert the repair over and over again

  75. Ok, i have some problems : i am using windows xp and in my task manager, there are two processes of wscript.exe and when i right clicked on them, it didn’t appear to open the containing folder. Anyway, i searched and i found 2 x wscript.exe in my computer, one in the system32 folder and other at the path WINDOWS\ServicePackFiles\i386. And when i tried to delete them, i had no problem, it didn’t appear any error message or something. I entered in the usb flash drive and i deleted all the files. But the problem is when i restart my computer, the virus is back… what should i do ?

      • Ok after ending the wscript.exe process and taking ownership of the file. I find the file in local disk/windows/system32. I click on properties and then on security but when i click on Edit the boxes where i’m supposed to click on deny are kind of ghostly and when i click on read, read and execute nothing happens. The check in the box stays in allow. I dont know if i missed something but i’m sure i followed the steps accurately. I really need help. I’m considering formatting the entire pc but i dont want to lose my stuff.

      • No, don’t even think about that, formatting is not necessary. Maybe you aren’t an administrator on your computer, hence the steps don’t apply. Try using a software called combofix, another reader had sucess with it. I’ll try it myself as soon as I have time, if the result is positive I’ll update the guide,

  76. Pingback: Vulnerabilities presented by Windows Script Host (WSH) on Windows OS | Computers and Networks

  77. Hi.. when i was in SYSTEM part, i overlooked, i only got to unclick the allow boxes of the rea and read & execute. When i went back to adjust, the SYSTEM in the users list is gone. I was able to click deny for the other users. How can i get back to SYSTEM to edit? Thank you dear.

  78. Hello, thanks for your post. Combo fix took care “apparently” of the virus Windows Script Host, but since my computer was running slow, I searched for the file wscript, and it gave me 4 files, I deleted all but one, this one does not allow me to do so, I follow all your instructions from this file, but my question is… On the last step, can I put C?
    Thanks so much

Comments / Questions / Suggestions

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s