Virus! My files turned into shortcuts (Solved)


Originally posted on October 11, 2010

Lots of people are having the same problem with a damn virus. It spreads via USB memory sticks or external hard drives, and “converts” all the files into shortcuts.  Fortunately the real files are still there, the user is just unable to see them. We will fix the problem in five simple steps.

Step One

Windows has the bad habit of hiding certain files and their extensions. This may be useful to avoid confusing novice users, but presents serious drawbacks. You may, for example, run a dangerous program like “photo.jpg.exe”because Windows only shows the “photo.jpg” portion. For that reason, and also to help fighting this memory stick infection, you need to make all files visible. The following steps apply for Windows XP, Vista and 7.

  1. Click on Start
  2. Click on Control Panel
  3. Pick Folder Options
  4. >Click on “View” tab
  5. Clear the following check boxes:
  6. Clear the check box “Hide protected operating system files (Recommended)”
  7. Clear the check box “Hide extensions for known file types”

Click Accept to apply the changes

Step Two

We need to make sure that your computer is clean from the infection. If a healthy USB stick gets corrupted after being used on your computer, that a sign that the virus is running on your system and your antivirus is not doing it’s job. Use the update function  your Antivirus. If the antivirus still fails to catch the infection even after the update, you definitely need to use another product.

—————————————————————–

October 2013 Update

Some users are reporting that no matter what they did, the virus kept running. Reader Grafik Krime has contributed with the following instructions:

For those still having issues and it and cannot stop it:

  1. Open Task Manager (Ctrl+Alt+Del) and End Process for any WSCRIPT.EXE that is currently running. (This will stop the running virus, the next steps are for preventing it from running again next time you start your computer)
  2. Click on Start
  3. Type REGEDIT and Tap Enter
  4. Click on HKEY_CURRENT_USER
  5. Click on Software\
  6. Click on Microsoft\
  7. Click on Windows\
  8. Click on CurrentVersion\
  9. Click on Run.
  10. On the list on the right find any reference to a file that ends with  .vbs and take note of were that .vbs file is located
  11. Go to the said location and delete the .vbs file
  12. Go back to Regedit and delete the key referencing thtat said .vbs  file

Thank you very much Grafik Krime!

—————————————————————–

June 2013 Update

Some users are reporting that their current Antivirus brand was unable to detect and eliminate the infection. I like the products from Avira, Kaspersky and Dr.WEB. The first one offers a Free version, the others offer 30 day trials.

But please STOP: Before start uninstalling and installing things, follow this whole guide in order to test if your current Antivirus get rid of the infection.

Also to avoid incompatibilities and system problems Do NOT install more than one (1) antivirus program on a single computer.

—————————————————————–

Step Three

If everything went fine at this step you should be able to see “new” files in your USB drive. The formerly hidden files probably are your missing files and folders. The shortcuts  on the other hand were created by the infection and are not related with your files.

Proceed to delete the shortcuts, the Autorun.inf, any .vbs file and everything you don’t recognize as yours. Needless to say, be careful, do not delete your legit files!

Step Four

To permanently change the properties of your files back to normal we need to open the Command Prompt.On Windows Vista and 7:

  • Click on Start
  • Type cmd in the first box you see
  • Press ENTER

On Windows XP:

  • Click on Start
  • Click on Run
  • Type cmd
  • Press ENTER

Step Five

On the black Window that appears -technically called the Command prompt- write the commands shown on the picture. Don’t forget to replace the letter X with the letter of your infected drive.

For example, if your affected drive letter is F then the command should be attrib -h -r -s /s /d F:\*.*

After writing the command hit enter and wait a few seconds while the changes are made.

Done!

Go back to the file explorer and see if the file attributes are back to normal.

Now that your issue is solved, why you don’t relax for a while checking the other sections of this site?

320 comments

      • Umang Kathuria

        hi.. i am having a little trouble in this… the steps u provided worked fine for a drive which nis a part of my har disk partition. but for a pen drive from it does not work. i followed the same procedure in both the cases but it didnt worked for the pen drive. pls tell me some way to remove this problem… whenever i add any files to the pen drive it is replaced by a shortcut.. although i can still access the contents with no damage done but it always takes time and the base address of the shortcut lies somewhere in the C drive(i.e. the drive where i have installed Windows 7)
        please help me in this! thanks !

      • theworldinaglass2013

        This is great! I followed everything from Step 1 to 5 and they all worked. Here:

        1. Stop the script from running, via task manager
        2. Locate the VBS file in your local user via REGEDIT
        3. Delete the VBS file in your local user
        4. Delete the key reference (the one that you just saw in REGEDIT)
        5. Simply run Command prompt and enter the command “attrib…” (make sure you use the same Drive Letter)
        6. Go to your USB, then right-click > Prperties > Read-Only (here you will see that “Hidden” is clickable already which before was not clickable). Then Apply!
        7. Then you can smile now. Problem Solved! Very good reference! Compared with the others I checked, this one is really good. Great post!

      • Ri Ju

        I can’t do step 5 either. After i type the command and hit the enter button , all the files will be back to normal but after a while all the shortcuts will be visible though i have already deleted those files and the original file will be in hidden form, what should i do ?

    • itai

      Hi guys. thanks a lot, just wanted to add to this post that also delete from registry folder named ulbloqmeed under hkey local machine ,please add it to the orginal post and thanks again

      Itai

      • Grafik Krime

        Hi Itai, ulbloqmeed.vbs is just one of the names that this issue could be called, but this is still the .vbs file that would be deleted by following the instructions

  1. Anonymous

    Thank you!!! I wanted to print a file (using a pc in the university library) and my USB stick was infected. Thought I lost one semester’s work for my PhD and almost got crazy! Instructions were easy to follow and accurate enough. My files are “restored”. Thank you

  2. Anonymous

    IT WORKED , SAVED MY 500 GB IMPORTANT DATA SAVED MY LIFE..THANKS AAAA LOT ,GOD BLESS U.
    ANY NEW IDEAS LIKE THIS……….IS WELCOME

  3. T

    Thank you, thank you! It worked. I was afraid I lost everything! I am now going to back up my USB just in case. YOU ROCK!

  4. Anonymous

    Hi there! I’m so happy I found this site :). Just one question: even after making visible all the files, the only files I see are shortcuts… do I delete them all? I can’t see any of my own file and I’m afraid of deleting all my data … So go for it or not? Thank you so much!

  5. Anonymous

    Thank you so very much. This helped me save all of my work. I’m currently backing everything up! I can’t thanl you enough.

    • naidis76

      Oops, got passed $RECYCLE.BIN folder by run as administrator before start cmd.exe. But then, got stuck again with a file called gencomp.dll in another folder. Need help!!!

      • naidis76

        Ah, no worries! I didn’t wait enough. Seems only two of files (or folders) that have access denied; gencomp.dll and System Volume Information folder. The rest got unhidden. Well, better then switch all of them manually. Thanks, Felipe!!!

  6. Marco R

    it still doesnt work for me! i had it formated and it still does it! maybe the USB infected my pc could that be it?

    • Sam

      Hey plug ur sd card and just go to task manager by ctrl+alt+del and there go to details and then delete wscript.exe…and jst make sure the file does’nt exist there

  7. Anonymous

    now i wont have to copy the files to my pc then copy it back to my memory card .. thank you .. you saved my anime’s :)

  8. anne

    why it is not working? the command prompt, i followed properly.. it is said that attrib is not recognized as internal or external command, operable program or batch file

    • Anonymous

      HEy typr cmd then type cd X: change the X of the drive letter of yours then type this after doing that attrib -h -r -s /s /d F:\*.* the wait but also replace the letter F with the letter of ur drive ( sd or flash drive )!! if you did not got it your idiot // !!!

  9. alex

    I have just one little problem, after doing everything the autorun.inf file keeps coming back and I’m using windows 7, trying to work on my blackberry memory card, so sad, I lost all my pictures, videos and songs too

  10. veki26

    hey thanks i recovered my files
    but when i try to delete those shortcuts a dialogue box shows up “file in use” the action cant be completed because the file is open in Host process for Windows Services

    what to do

    and i think my pc is infected too
    everytime i connect any usb..same annoying shortcuts..i have avast internet security

    • Felipe La Rotta

      Hello Veki
      It’s evident that Avast is not doing its Job. I don’t like to talk about specific antivirus to avoid endless discussions, but if you ask me I would recommend Kaspersky (there’s a free trial version on their site). Microsoft Security Essentials is a good permanent free alternative.

  11. Harry

    Hi, I believe it works for others but I’m getting “Access Denied” return on each folder…how do I adress that?

  12. CAE

    thank you, it seems the problems are gone…used Malwarebytes (maybe there are better products out there) free trial, and did the job for me after disabling autorun

  13. C

    One question, under step 4: Step Four – Now that your vision is restored, delete Autorun.inf, and everything you don’t recognize as yours. Delete the shortcuts too, because they are part of the infection and not related with your files, even if they have the same name.

    Where are you referring to when you recommend file deletions? The infected USB or the harddisk with Windows OS or any other hard disks (external or internal) attached to the computer? Please specify as all I can see from my infected USB drives are (1) files that ended with ..vbs, exe, and (2) movie files that I copied previously into the drive which became un-recognizable now. Thanks.

    • Felipe La Rotta

      Hello C. Naturally I’m talking about the infected USB, not your computer. If these .vbs and .exe files on the USB memory aren’t yours (I bet they aren’t) go ahead and delete them.

  14. emil

    ah sir mine is different there is no autorun but it has .vbs something when i search it in google i cant find it and when i delete it, it will pop up again in mattter of seconds

  15. Anonymous

    For the last step, there doesn’t seem to be any ‘X’ that appears on the black screen that comes out. All it says is C:\Users\Z226>_
    That’s it. How do i finish the last steps please? Because i just deleted ALL my files and i need them for real.

  16. Sizar

    Sir, I did recover file but i still can’t delete shortcut. It says open in Host process for Windows Services… please reply me. how to delete that shortcut

  17. Britney

    i tried what u said, but the HAMZA.vbs file keeps reappearing even after i do delete it. when i try plugging any of my pendrives it affects them, due to which i believe the problem lies in the system. please help me :( MalwareBytes did not detect it ._.

    • Felipe La Rotta

      I’m sorry to hear that Britney. I don’t like to recommend a specific antivirus, but there are lots of free trial options like Kaspersky or Dr. Webb. They will be sufficient to get rid of the problem

  18. Anonymous

    it worked for me, but when i use the pen drive again it showing all the folders as shortcuts again…am using avast AV

  19. Bix Xa

    okay, guys please help me :)
    i am using windows 7, Microsoft security essentials (just updated).
    there is an autorun.inf in my usb flash drive.
    I tried to delete it and it says access denied. administrator permission required (I am the administrator but it didn’t ask for my password). when I tried the cmd thing you suggested I got this:

    access denied – G:\AUTORUN.INF

  20. Anonymous

    i tried doing this, it turned my files back to normal but when i reinsert it it turns back from being a shortcut, please help me.. what can i do?

    • ComTech

      1. Disabled “Microsoft Windows Based Script Host” on Star Up
      2.Open Task Manager Find “wscript.exe” And End Task That File
      3. Follow Step Three to Step Five Done.. !

  21. Anonymous

    i tried doing this, it turned my files back to normal but when i reinsert it it turns back from being a shortcut, please help me.. what can i do? What can i do?

  22. RED

    Kaspersky works. I installed the trial version and instantly removed the virus. My PC is now completely cured. Instructions were a great help. Thanx

      • Anonymous

        the same porblem i have here man..the vbs and shortcuts reappear again despite i did everystep u wrote down so carefully…and my blackberry memory card still doesnt want to show any pictures or songs..any help!?

  23. Anonymous

    I done all the step and I found out that there were some Infected objects in my comp then deletes it etc.. but the problems is whenever I reinserted my flash drive again my files just came back being a shortcut icon. should I reformat my comp now?

  24. Jorgie Samson

    when i was searching for answers for the virus,first i looked in youtube the found a solution just like this,but the video i found DOESN’T HAVE STEP2 written in this page,when i did the FF steps in the video,the shortcuts dissapeard but sadly the effect does only 4,5,7,9 seconds maby , is that what you get when you don’t do STEP2???

  25. njabulo

    thanks fo helping. well, I did all the steps correctly but im having a problem it shows my files just for temporary then goes back to the shortcut virus again….i want it gone permanently. HLP ME PLEASE!

  26. Anonymous

    I’m using AVIRA antivirus , deleted the vb scripit file but after a few seconds it comes back. and again and again. help me pls.

  27. Nikee Pagatpat

    Hello :) I just wanna share, I clear the virs via USB Disk Security. At first I have done it but the Virus always come back, but after I have done the Step Two and end process the wscript.exe in the Task Manager, I Delete again the Malware via USB Disk Security then it didn’t come back. I don’t know how to explain it how does it happen but it really works :))

      • Erwin

        Hey , Just show the hidden files and type the cool.vbs in Search programs and files or Run. when there is cool.vbs appeared just delete it and empty your recycle bin. Try to connect your drives. If the virus is gone ! Then Reply Tnx :D And if not Find another solution.

  28. Grafik Krime

    For those still having issues and it and cannot stop it, then

    open Task Manager and End Process for any WSCRIPT.EXE that is currently running. (This will stop it running, now you need to stop it running again next time you start your computer)

    You then need to open REGEDIT and check for any reference to starting a .VBS file at startup from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you find a key that runs a .VBS file at startup then navigate to the folder it is running from and delete that .VBS file, then go back to REGEDIT and delete the registry key referencing the .VBS file. (This will stop the Virus from running and again at startup, now you need to fix your Flash Drive\USB Device)

    Follow the instructions above.

  29. Anonymous

    Oops it doesn’t work for me… maybe my computer is infected (but I update my anti virus and did a full computer scan and it says zero files infected). The moment i delete all the shortcuts they reappear..
    Any other idea will be appreciated….
    Thanks

    • Grafik Krime

      OCTOBER 10, 2013 – 1:27 AM
      Grafik Krime
      0 0 Rate This
      For those still having issues and it and cannot stop it, then

      open Task Manager and End Process for any WSCRIPT.EXE that is currently running. (This will stop it running, now you need to stop it running again next time you start your computer)

      You then need to open REGEDIT and check for any reference to starting a .VBS file at startup from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you find a key that runs a .VBS file at startup then navigate to the folder it is running from and delete that .VBS file, then go back to REGEDIT and delete the registry key referencing the .VBS file. (This will stop the Virus from running and again at startup, now you need to fix your Flash Drive\USB Device)

      Follow the instructions above.

  30. Mubasshir Satti

    Hmm thnx dude, it really work
    but there is still one problem , my original files displayed but there is also again and again link files displayed even i dell it then again display link too, with original file..

      • Grafik Krime

        For those still having issues and it and cannot stop it, then

        open Task Manager and End Process for any WSCRIPT.EXE that is currently running. (This will stop it running, now you need to stop it running again next time you start your computer)

        You then need to open REGEDIT and check for any reference to starting a .VBS file at startup from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. If you find a key that runs a .VBS file at startup then navigate to the folder it is running from and delete that .VBS file, then go back to REGEDIT and delete the registry key referencing the .VBS file. (This will stop the Virus from running and again at startup, now you need to fix your Flash Drive\USB Device)

        Follow the instructions above rom Felipe to recover your USB.

    • Grafik Krime

      Read and follow the instructions correctly, if you do so the items will not be there and you will then see your hidden folders and it will be resolved. the only reason this will not work is if you have missed a step, like stopping the .VBS file from running and making sure its gone after a restart of the PC

  31. Anonymous

    im on windows 8 and i found the .vbs file in the registry but could not find it in its location for me to delete it. Also , i could not find WSCRIPT.exe in task manager

  32. Anonymous

    thank you very much indeed,was trying to fight this off for a long time,however would also be obliged if you guys could mention a tweak for the same in win 8.

    • Grafik Krime

      Sorry I don’t use or ever intend on using Win 8 but the same principles should apply though, so hopefully someone that uses win 8 can add to this if they organise a fix.

      1: Stop Process and delete the .vbs file
      2: Stop it restarting again (Modify Registry)
      3: Change attributes
      4: Delete fake Shortcuts

  33. john

    i cant understand this part “then go back to REGEDIT and delete the registry key referencing the .VBS file.”
    i dont know which exact registry key to delete

    • Felipe La Rotta

      It’s very simple John,

      Open regedit

      click on HKEY_CURRENT_USER\

      click on Software\

      click on Microsoft\

      click on Windows\

      click on CurrentVersion\

      click on Run

      And delete any entry that makes reference to a VBS file

  34. savantwalker

    It works. I tried following the removal suggestions at the avast! forums but I just could not keep up with some of the more technical steps. It also required a lot of suggested cleaners from the users. This is a simple process that gets the job done.

    Now, I have some folders on my laptop that I cannot access. Some of them have padlock icons on the lower left (or was it right?) and some are slightly transparent. Should I delete these?

    Thank you very much!

    • Grafik Krime

      HI Savan, they appear to be system files, if you go back to File and Folder options and turn off show hidden and show system files you will no longer see these.. as far as I know you should not delete any files for this infection apart from those on the infected USB only, well not unless you copied them to your desktop from your USB for some reason.

      Hope that helps

  35. Eymuresu

    Can you make a tutorial on how to remove the Recycle.bin Type virus i have a problem of it popping up again and again. i had malware installed and it cleaned a whole lot but it still keeps coming back! i need help on how to remove this!! i checked the other ways of removing it (REGEDIT ON SAFEMODE) and it still there!! aaaaaahhhhhh!!

    • Grafik Krime

      Hi Eymuresu, when you mention the “Recycle Bin Virus” are you referring to the same virus mentioned here, ie it hides all of your folders and creates shortcuts for them, making you think your USB is empty or is your computer freezing with pop up windows, anti virus not working, being re-directed while browsing the internet etc, there are 2 possibly 3 separate viruses that you could be talking about here? Hopefully you don’t have more than 1 of them.

      Now the recycle bin virus is a bad one as it will kill the Antivirus program your running. Again this will depend on which version of windows your running but possible fixes are available below.

      Windows 8: http://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/how-to-remove-recyclebin-system-volume-information/473cde05-a750-43a4-aa11-f52b0977b6b7

      Windows 7: http://answers.microsoft.com/en-us/windows/forum/windows_7-files/all-hard-drives-show-recyclebin-system-volume/1e457dd0-a34f-479d-9b77-c07071194ae3

      Other versions: your on your own.

      I believe that “ComboFix” malware protection might also be your answer once you stop the virus running on your pc you will need to then run this on your EXT hard drive to clean that up as well: http://www.combofix.org/

      • Grafik Krime

        HI Felipe, there are a couple of different variations on this type of virus, the one you and I have covered the fix to here is the lesser of 2 evils,

        The recycler\recycle bin virus can cause major issues, complete loss of data, computer freezing, web browsing redirection, gathering personal data, etc again it activates by an autorun.inf file from a USB device, which places a “recycler bin, “resycled bin” icon on your desktop acting like your “recycle bin”, it also modifies the desktop.ini file and generally starts other programs on mouse right click. There are multiple varieties out there, its quite an old virus\malware but modified every now and again by some idiot. Most decent Virus/Malware programs will catch these if its up to date, well that is unless you are infected with the SHH/UPDATER virus, that will kill\stop all automatic updates to your pc especially your antivirus, also it cause issues with manual updates and then run rampant on your system

        Me personally I dont allow any drive to run any autoruns at all, and delete them when I see them, especially from a USB device that is used on multiple pc’s unless I know what it does, I just like being safe an know what’s running and when.

  36. Jurie

    I donwloaded the “malwarebytes” I runned it and… Nothing. I unhided everything and deleted the shortcuts but they kept coming back right after it was deleted! I followed the “command” process in which I was succesful! But the shortcuts would’t go away even when I tried to delete it again and all my media stil hasn’t appeard on my blackberry! Please – I need this issue to be resolved.

    • Grafik Krime

      Hi Jurie\Felipe

      If you are infected with the issue that Felipe has covered here then the solution posted here will fix this issues for you, if it keeps reappearing then you will have missed one step in the process, ie stopping it running or stopping it from running again on restart, or you have not deleted one of the infected files and keep accessing it which will start the process again. Yes, Felipe is right that it appears this virus is being adapted and changed, so it is likely at some point the above fix will stop working altogether but I don’t think its there yet

      Does you Blackberry storage have a file called autorun.inf on it? if so then follow the above steps and then make sure that file is deleted. the Autorun.inf file could be infected and will start every time you plug the storage in, if allowed to by the computer that is.

      Also just so you’re aware, I have an infected USB file here that I have tested with Malware bytes\Avast\WSE\Norton and a pile of other Antivirus\malware utilities and as yet not one of them has fixed the issues, so for now its a manual process

  37. ayiem

    I wanna ask, after following all the steps,can i just delete the existing shortcut folder?will it affect my files?? btw thank you for solving my problem :)

  38. skeezix

    You saved my life… not actually.. but i was about to format my whole system and reinstall windows and everything until i came upon this page..
    That would have been painstakingly annoying.
    Thank You Grafik Kaime.. the Registry edit thing worked. :)

  39. Manny Rai

    thank you so much ,, from my heart it works ,,,, u are much blessed my fren,,, really thank you from my two hands ,, i dont have much to give you , but this is what makes you an angel , u did save me ,, <3 <3

  40. Dan

    Thank you very much this article SAVED me from reformatting my laptop (:

    also, just a tip… if you guys can’t find the .vbs file… go to folder options and unhide the protected operating systems file, that should make you and your antivirus find it :D

  41. Anonymous

    Thank you so much! It finally worked after pressing CTRL+ALT+DEL and removing all .exe files that were running.

    The only problem I faced is that it didnt work at first, I had an error : “Attribute Utility stopped working” everytime I initiated the command via CMD.

    Here is a little tutorial for the ones who have this issue, I had a process running that had as description:
    “Flash game you run forward as an alien in outer space. You can run and jump on the floor, walls, and even the ceiling.”

    This was corrupting all my files, even my explorer.exe, very nasty. What I did was first, replace my explorer.exe with a clean one (search on google for this).

    Than, I installed Malwarebytes anti malware, however the virus was so nasty it didnt let the program run. The reason for this was because its initial name was mba.exe or something like that. So what I did was go into C:/Program Files/Malwarebytes anti malware/ and rename the .exe to Explorer.exe (then the virus allows it to run).

    So then you let it scan your hard drives, and delete all trojans and restart.

    After that, the virus is still active on your C so what you need to do is press CTRL+ALT+DEL and search for the virus in your processes. Usually it has different names, in my case it was 8T34D.exe. ( look at description at the right hand corner to see “Flash game you run forward as an alien in outer space. You can run and jump on the floor, walls, and even the ceiling.”)

    You can right click on the running process and press “Open location” and usually its in your program data folder or somewhere very deep.

    You can also Search for this file simply by using the search of windows itself. Once you find the file, stop all processes in the task manager and delete the virus. Than, you run the CMD and do the attrib thingy that is explained above at this page.

    Your files should appear, however, be aware that you are not done yet. You need to scan your ENTIRE C for any leftovers that might fuck up your system again. So use malwarebytes anti malware do a full scan on your C and delete all trojans, viruses, malwares etc.

    I cant promise that you’re safe, keep alert, check your processes from time to time and backup your files. You never know when a virus hits you.

  42. Lalit Kumar

    Dear Sir,
    I’m using windows xp.I try the way you tell but there is problem The shortcut file are converted into their real one but after ejecting when again i connect my pen drive it shows the same problem & please tell me how can i format my pen drive and how can i delete this shortcuts.

  43. Ajaz Ahmed

    KUCH NHI HOTA H SAB FAKE H AUR I HOPE U HAVE COPIED ABOVE GIVEN STEPS FROM ANOTHER SITE….DEFINITELY WOULD LIKE TO SAY THAT “””” NOTHING HAPPENS “””””””……….

    • Felipe La Rotta

      There are two possibilities: One, the virus was already neutralized. two, the virus has another name.

      Check if the files stay normal after finishing the steps. If the files keep being altered then the virus is still running under another name.

  44. patient

    my problem is that a day ago,i found that all my files in flash drive have changed to shortcuts….and when i do the task manager step,i find a file “winlogon.exe” appearing 2 times…n no wscript.exe file running…so is it the alternate name for wscript.exe or is it something else…??

  45. patient

    my problem is that a day ago,i found that all my files in flash drive have changed to shortcuts….and when i do the task manager step,i find a file “winlogon.exe” appearing 2 times…n no wscript.exe file running…so is it the alternate name for wscript.exe or is it something else…??

    and when i do the –This will stop the running virus, the next steps are for preventing it from running again next time you start your computer) step,i dont find any file that ends with .vbp but the same “winlogon.exe” file running….

    • Felipe La Rotta

      Hello Patient

      Looks like your virus version changed name. Winlogon is a genuine windows process, if you see the name two times probably the virus is imitating it.

      Click on Start, on the box that appears (were you previously typed Regedit) type msconfig and tap enter

      On the dialog box that appears go to Startup tab and look for suspectful names. If the virus hiding capabilities aren’t good enough you wil probably find it on the list. Disable it and check if it appears next time as the repeated item.

      Remember, Winlogon is also a genuine process.

      Also try removing your current antivirus and installing Avira as the instructions say.

      About the Ajaz’s comment, naturally the virus developer will keep it evolving because it’s his/her business. Thinking that my steps will work every single time is absurd because viruses are not my business, I’m not an Antivirus company I don’t have the time or funds to keep chasing them. A bit of creativity from the user is also needed!

  46. patient

    @Felipe La Rotta,this time i did what u siad n i found that the name “winligon” was coming twice again but i found something else called “winlog”
    n pleez dont get irritated with my questions because i’m a student of class 8 only…
    i cant even suspect because i know almost nothing about viruses etc….
    …so pleeeeezzz help….
    if its appering twice then is “winlogon” the virus??

    • Felipe La Rotta

      Don’t worry man, perhaps excuse me too, I was irritated by the other comment.

      Is hard to tell from here without knowing each file route. Did you tried installing Avira? Maybe it will detect the malicious element for us

  47. Anonymous

    thanks thanks thanks
    my pendrive is showing shortcuts to every file and having a hidden .vbs file and my problem was solved after a long battle of 5hrs and i succeded to remove shortcut icons showing even after formatting.
    thank u sooooooooooooooooooooo much

  48. Franklin

    Hi Bro.
    I noticed that lots of people thanked you so I wish to have hope that I will join the list.

    In the main time, my memory card was invaded by this virus 2 months ago and there is nothing I haven’t done:
    * Updated my Antivirus
    * Made all files and extensions visible
    * Checked but found no “wscript” in the Task Manager
    * Checked but found no “vbs” file in Regedit
    * Even did some Command stuff “attrib -r -s -h /s f\*.*” that was supposed to make the files visible but instead got a “Not Resetting System File” response.

    I am messed up now. Can’t format cause I have files I need there.

    Note: This is only restricted to my memory card, I have inserted it in my pc even when there was no Antivirus and when there was, more than 40 times in the last 2 months but my pc remains okay, all my files still there – no shortcuts. Its only my memory card that’s badly infected.

    Observation: All the files in folders inside the memory card all can be retrieved cause the shortcuts open in a separate window when clicked. But the files on the root of the memory card are permanently on shortcuts.

    Awaiting your advice. Thanks in advance.

    • Felipe La Rotta

      Hello Franklin!

      Looks like the damn virus is improving. I made a quick Google search about the “Not Reseting System File” and they suggest to use each command by separate. Let’s say that F is your damaged drive letter:

      attrib -h -r -s /s /d F:\*.doc (and tap enter)

      attrib -h -r -s /s /d F:\*.avi (and tap enter)

      attrib -h -r -s /s /d F:\*.png (and tap enter)

      attrib -h -r -s /s /d F:\*.jpg (and tap enter)

      and so on with every file type

      If that doesn’t work try with each attribute by separate

      attrib -h /s /d F:\*.* (and tap enter)
      attrib -r /s /d F:\*.* (and tap enter)
      attrib -s /s /d F:\*.* (and tap enter)

      Please let me know if it worked for you, I’ll wait for your answer

  49. Dawud

    Hi, I just did that thing to get rid of vbs file but when i go to where its supposed to be it isnt there. It seems it doesnt exist. Should i do the next step which was to delete the thing from the registry editor? Thanks

      • Dawud

        i just deleted the regedit vbs thing but my usb is still doing the same thing. should i carry on with the next 2 or 3 steps?

      • Dawud

        I tried to do the command promp thing but it doesnt work. Also, on your picture of the command prompt it says on the black box documents and settings
        mine says document and settings-user
        maybe thats why it doesnt work cos it has the additional word ‘user’.
        please can u help me, 3 of my usbs are messed up as well as my mobile phone. Thanks

  50. Anonymous

    Your post resolved an issue that’s been lingering for 2 weeks! Very well articulated and 100% success rate for me.Thank you!

  51. hai

    hai guys pls can u help me with the removing of virus it is irritating me my memory card inserted in usb and then i deleted those shortcus and within a seconds it wil re placing in there place how should i remove this now

  52. Majid Fazal

    I was almost about to re install window when i stumbled upon your article, and needless to say everything is perfect now thanks to you. You saved me man! Take care and thanks. God bless you

  53. vuk popovic

    Thank you very much. I earned the virus by bringing my USB flash drive to a printing shop. You are a lifesaver mate! Thank you!

  54. So Thankful

    WOW THANK YOU!I spent about an hour trying to fix this and the freaking thing would keep coming back. That is until i followed these instructions!!!! THANK YOU! I LOVE U!!!

    • Grafik Krime

      its an encoded script file rather than a standard Visual Basic Script file, so yes this infection from the posts above is evolving a little from when I first posted so I havent seen the new .vbe or vbs files as yet, Pretty sure I dont want to either

  55. Sam

    hey in my usb there is MS Dos drdflk.vbe which never gets deleted , even after format it always reappears and makes shortcut of original file if it runs in windows 7 but in xp it turns original file into shortcut . i tried everything mention above but still not working. what should i do?

  56. ARVIN

    ended process WSCRIPT.EXE, went to REGEDIT: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, but didn’t find any .vbs file. BUT, I find a file which I think is suspicious = • Name: xuhjvihhox • Type: REG_SZ • DATA: wscript.exe//B “C:\Users\edward\AppData\Local\Temp\xuhjvhhox.vbs”

    WHAT SHOULD I DO? (I KNOW I SHOULD GO THERE AND DELETE IT, BUT I NEED YOUR DETAILED INSTRUCTION ON WHAT TO DO) THANKSSSSSS

    • Grafik Krime

      Hi Arvin

      Right click on the registry key you found and delete it, then navigate to the folder C:\Users\edward\AppData\Local\Temp and delete that file, you may need to set the folder to being viewable though as it should be a hidden\system folder. Open Window Explorer, slelect organise (Top Left) Select Folder and search options (opens new window) select VIEW TAB then select SHOW HIDDEN FILES AND FOLDERS, uncheck Hide Protected Operating System files,

      You should now be able to delete the file, unless it is a running process, if it is then open task manager and stop any WSCRIPT.EXE processes, then delete the file.

      once Done go back and set you files to Hidden and hide operating system files again, to easy to make mistakes and stuff something up if your a novices

      • ARVIN

        Everything worked like a charm! Thanks a bunch (seriously)! Cuz this virus is such a pain in the ass -.-
        Restarted my PC, checked taskmanager + regedit, and the file is completely gone.

        One more thing, tho. Here’s my situation:
        Yesterday, I wanted to some things in my phone (normal files: .docx, .mp3). When I inserted the USB cable(phone-PC), that’s the time that I found out this .vbs virus. Next day (today), I found your blog, followed your steps, restarted, cleaned the PC.

        Now, I’d like to insert my phone once again to continue transferring some files (I panicked & remove the USB after seeing the virus). WOULD IT BE SAFE NOW TO INSERT MY PHONE AGAIN?

        (btw, i still need to type attrib -h -r -s /s /d x:\*.* in the cmd if I have your confirmation/permission)

  57. jhun

    hey guys i need help pls. I encounter a Trojan virus name “provide.vbs” this virus infect the usb by creating shortcuts for all the files in usb and hidden the original files. and also i found out this virus stay in PC on “C:\ Documents and Settings\ All Users\ Start Menu\ Programs\ Startup” and “C:\Documents and Settings\User_Name\Local Settings\Temp ” what is the best antivirus that when you insert your usb it can automatically delete that virus.???

  58. Alma

    Thank you so very much this information. 3 different antivirus software couldn’t get rid of this bugger. I also surfed all over the net for solutions. They were all duds. You saved me from a sleepless night. :)

  59. Celine

    This worked for my laptop. But on my other computer, i can’t seem to delete the .vbs from its location because it is open in “Microsoft Windowd Based Script Host” … what should i do? thank you!

    • Grafik Krime

      Hi Celine, It looks like the process is still running, if this is the case then you cannot delete the active file until the process is stopped try all of the Steps at the top of the page, you should follow the instructions in regards to stopping the process from running and then delete the link in regedit, after this if you cannot delete the actual file there are a couple of things you could try.

      1: Instead of just hitting the delete key, try right click on the file, then cut and paste it to the recycle bin, then empty the recycle bin, and complete the rest of the steps as per top of page.

      2: if 1: didnt work, then after completing the stop\regedit steps, try restarting your PC in Safe Mode by pressing the F* key during start up, at the black screen and select Safe Mode, this will only start necessary programs from running, once restarted then try to delete the file and complete the rest of the steps as per top of page one again to make sure its all gone. then restart the computer and check everything is good once more

      Hope it Helps let us know how you went
      Regards Grafik

      • Celine

        I’m sorry for bothering you. As it turns out i had accidently skipped the “ending process wscrispt.exe”. Sorry for having to bother you… Thank you so much you and this post have been of great help! :D

  60. Jamal

    Thanks to admin and Grafik Krime, finally I solved the problem started about a couple of weeks ago.
    Here is the update. In my case, I followed the steps that pretty similar to Grafik Krime :

    Open Task Manager (Ctrl+Alt+Del) and End Process for any wdr201b.exe that is currently running. (This will stop the running virus, the next steps are for preventing it from running again next time you start your computer)
    Click on Start
    Type REGEDIT and Tap Enter
    Click on HKEY_CURRENT_USER
    Click on Software\
    Click on Microsoft\
    Click on Windows\
    Click on CurrentVersion\
    Click on Run.
    On the list on the right find any reference (in my case : ‘W201b Driver’) to a file that ends with wdr201b.exe and take note of were that wdr201b.exe file is located (in my case : C:\Users\YourName\AppData\Local\Temp\wdr201b.exe
    Go to the said location and delete the .exe file
    Go back to Regedit and delete the registry key ‘W201b Driver’

    and then follow the step three, four and the rest.

  61. Diego

    I accidentally deleted the registry key before deleting the file. Help!..

    I have a “load.exe” file on my memory card and my folders turned to shortcuts.. All of it… Can you please help me

    • Felipe La Rotta

      Hello Diego

      If the virus is still running in your computer it will restore its registry entry again. If the virus was already terminated by your antivirus then deleting the suspicious .exe file will work (don’t forget to follow the other steps mentioned on the guide)

  62. Anonymous

    Hi .the infected drive is my system drive C ….when i do step 5 ….and type attrib -h -r…etc. it says ” invalid switch /c”…any help on this?

  63. Kareem

    Hi..i followed all the steps…i have not found any .vbs files though…..i ran the attrib change…but while running….almost all files had ” access denied” written before it…thus when finished…nothing changed !!……any help please…..and unfortunately i have no restoration points to go to :(

  64. Anonymous

    Thank you so much! this helped a lot! taken me almost an hour to configure (not really techie, got lost in translation haha), thankfully, with some luck, i managed to retrieve my files! THANK YOU!

  65. annie

    My laptop doesn’t have internet connections at the moment..and the laptop stated I don’t have antivirus that’s y the virus wasn’t detected..now I ddnt know it was a virus and last nyt I connected my blackberry to my laptop to take in some files..I copyd some songs from my laptop to my phone..bt then all of my folders in my memory card turned shortcuts..including the blackberry folder..now my phone isn’t showing any media files even though my memory card is in there..my memory card is still running as I played the downloaded songs and they played..without some songs saying they can’t find it and stuff..bt when I tried to go to the main blackberry folder ,where all media files should be as it was in the memory card,I found that I couldn’t open any file der cz they all were turned shortcuts..including my blackberry folder..and when I tried to open it..it didn’t open cz it didn’t recognise the file/it needs its main folder.. :’( …I need help!! and I can only see my files if I connect my bb to the laptop via an usb cable…bt bt I want my media in my phone.. :( :( :(

  66. Anonymous

    i followed the steps but my antivirus program cannot detect any infection i can copy files but shortcuts are being created and cannot be deleted

Comments / Questions / Suggestions

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s