USB shortcut virus hid my files — are they still there? In most cases, yes. The shortcut virus does not erase your data; it changes file attributes so Windows hides them, then drops fake shortcut (.lnk) files in their place. Your files are almost certainly still sitting on the drive. This guide explains how to confirm that, how to get them back, and — critically — what to do when the usual fix does not work.
Part 1. What the Shortcut Virus Actually Does to Your Files
The shortcut virus is a category of malware, often a VBS or AutoRun worm, that targets removable storage devices. When it infects a USB drive, it performs two actions:
- Sets three file attributes on every file and folder: Hidden (H), Read-only (R), and System (S). Windows hides items with the System attribute by default, even when "Show hidden files" is turned on in standard settings.
- Creates .lnk shortcut files with the same names as your original folders. These shortcuts are typically 0 KB placeholders. Clicking one may execute the virus payload and spread the infection to the host computer.
Your original files are not deleted. They are still occupying space on the drive — they are simply flagged so Windows does not display them. The virus exploits normal Windows behavior rather than destroying data.
💡 Tip: Right-click your USB drive in File Explorer and choose Properties. If the "Used space" figure is significantly larger than what you can see on the drive, your files are almost certainly hidden — not gone.
Diagnostic Table: Is It the Shortcut Virus?
| Symptom | Shortcut Virus | Accidental Deletion | Drive Format |
|---|---|---|---|
| Drive shows less than expected free space | ✅ Yes | ❌ No | ❌ No |
| Folder icons replaced by shortcut arrows | ✅ Yes | ❌ No | ❌ No |
| Used space in Properties looks normal | ✅ Yes | ❌ No | ❌ No |
| .lnk files visible with same names as folders | ✅ Yes | ❌ No | ❌ No |
| Drive appears completely empty | Possible (aggressive variant) | ✅ Yes | ✅ Yes |
| Autorun.inf or .vbs files visible | ✅ Yes | ❌ No | ❌ No |
If the top four rows match your situation, the shortcut virus is the likely cause and your files are probably still present.
🗣️ r/techsupport user: "Shortcut virus has hidden my files so well I am unable to retrieve them. Tried showing hidden files and cmd — none fully worked."
Part 2. How to Confirm Your Files Are Still on the Drive
Before running any commands, spend 30 seconds verifying the files are there.
Step 1 — Check used space. Open File Explorer (Win + E), right-click your USB drive, and choose Properties. Note the "Used space" value.
Step 2 — Compare against visible content. If your visible files add up to far less than the used space shown, data is hidden. For example: 8 GB used but only a handful of 0 KB shortcuts visible — your files are still there.
Step 3 — Look for infection markers. Still in File Explorer, check if the drive root contains any of these: autorun.inf, files ending in .vbs, files ending in .bat, or a folder named RECYCLER. Their presence confirms a shortcut virus infection.
💡 Tip: Do not open any shortcut files or double-click any .vbs file on the drive. Opening them can spread the virus to your computer.
Part 3. Method 1 — Show Hidden Files via Windows Explorer
This is the quickest check. It will not remove the hidden attribute, but it will let you see and copy your files immediately.
Step 1 — Open Folder Options. In Windows File Explorer, click the View tab (Windows 10) or the three-dot menu → Options (Windows 11).
Step 2 — Enable all hidden file display. Go to the View tab inside Folder Options. Under "Hidden files and folders," select Show hidden files, folders, and drives. Then uncheck Hide protected operating system files (Recommended). Click Apply, then OK.
Step 3 — Navigate to your USB drive. Your hidden files and folders may now appear, typically dimmed or semi-transparent to indicate they are hidden. You can copy them to your desktop or another drive.
⚠️ Important: This method only makes files visible — it does not remove the hidden/system attributes. If you copy the files and then re-enable "Hide protected operating system files," the files may disappear again on the destination drive too. Use Method 2 to permanently remove the attributes.
Limitation: Some aggressive variants apply attributes at a deeper level that Explorer's view settings do not surface. If your files still do not appear, move to Method 2.
Part 4. Method 2 — Remove Hidden Attributes with the attrib Command
The attrib command in Windows Command Prompt directly strips the Hidden, Read-only, and System flags from every file and folder on the drive. This is the standard fix for most shortcut virus infections.
Step 1 — Identify your USB drive letter. Open File Explorer. In the left panel, note the drive letter assigned to your USB (for example, E: or F:).
Step 2 — Open Command Prompt as Administrator.
Press Win + S, type cmd, right-click Command Prompt, and choose Run as administrator.
Step 3 — Run the attrib command.
Type the following command, replacing X with your actual drive letter, and press Enter:
attrib -h -r -s /s /d X:\*.*
Wait for the command to complete. On large drives this may take a minute or two.
Step 4 — Check the drive. Open File Explorer and navigate to the USB drive. Your files and folders should now be visible. Immediately copy them to a safe location on your computer.
attrib Command Parameters Explained
| Parameter | Meaning | Effect on Shortcut Virus |
|---|---|---|
-h |
Remove Hidden attribute | Makes hidden files visible in Explorer |
-r |
Remove Read-only attribute | Allows files to be modified or deleted |
-s |
Remove System attribute | Removes the flag that hides files even when "show hidden" is on |
/s |
Apply to all files in subdirectories | Processes every file in every subfolder |
/d |
Apply to directories too | Unhides folders, not just individual files |
X:\*.* |
Target all files on drive X | Matches every filename and extension |
💡 Tip: After your files are visible and copied to safety, run a full antivirus scan on the USB drive using Microsoft Defender or Malwarebytes before using the drive again.
🗣️ r/computerviruses user: "This damn virus won't go away. I have been struggling for ages — every time I remove it from the USB it comes back after plugging it in again."
Part 5. Method 3 — What to Do When the attrib Command Fails
Most guides stop at the attrib command. However, a more aggressive class of shortcut virus does something worse: in addition to hiding files, it may also delete the directory entries for some files — particularly if the malware ran for an extended period or was removed improperly. When this happens, attrib completes without errors but some or all files remain invisible because they no longer have valid directory entries pointing to them.
Signs that attrib has failed to fully recover your files:
- The command runs with no errors, but files still do not appear
- Only some files reappear but others remain missing
- The drive letter opens to an empty or near-empty view even after running the command
- Used space in Properties still shows significant data, but files are not accessible
What to do:
Step 1 — Do not format the drive. Formatting overwrites the space where your file data is stored. Even if directory entries are gone, the actual file data often remains in unallocated clusters until overwritten.
Step 2 — Stop using the drive. Every write operation to the drive risks overwriting recoverable data.
Step 3 — Use data recovery software to scan the drive. Recovery software can locate file data by scanning the raw sectors of the drive, rebuilding files even when directory entries are missing. This is a fundamentally different approach from attrib, which only manipulates file attributes.
Step 4 — Recover to a different drive. Always save recovered files to a different physical drive or folder — never back to the infected USB.
💡 Tip: If the attrib command finished but your files are still missing, check the drive's used space one more time before doing anything else. If used space has dropped to near zero, it is possible the virus or a hasty antivirus removal also deleted the file data. Recovery software may still be able to recover files from that unallocated space.
Part 6. Permanently Removing the Shortcut Virus
Recovering your files is only half the job. If you do not remove the virus from the drive, it will re-hide your files and re-infect any computer you plug the drive into.
Step 1 — Delete all shortcut files. Open Command Prompt as Administrator, navigate to the drive, and run:
del /f /s /q X:\*.lnk
Step 2 — Delete autorun.inf.
del /f /q X:\autorun.inf
Step 3 — Delete suspicious script files.
Look for and delete files with .vbs, .bat, or .exe extensions in the root of the drive that you did not place there. Use caution — verify each file before deleting.
Step 4 — Scan with antivirus. Run a full scan of the USB drive using Microsoft Defender, Malwarebytes, or a trusted equivalent. Allow it to quarantine or remove anything it finds.
Step 5 — Consider reformatting. If any doubt remains, back up all recovered files to your computer, then format the USB drive (Quick Format is sufficient for removing the virus). This typically provides a clean slate.
⚠️ Important: Removing the virus from the USB drive does not remove it from any computer the drive was plugged into. Run a full antivirus scan on every PC that accessed the infected drive.
Part 7. Recover Hidden or Deleted Files with Ritridata
When the attrib command does not fully restore your files — or when an aggressive shortcut virus variant has deleted directory entries alongside hiding files — data recovery software may be able to retrieve what manual methods cannot.
Ritridata scans the raw sectors of the USB drive to locate file data that may still exist even when directory entries are missing or corrupted. This approach works independently of file attributes, which makes it useful for the Tier 3 scenario where attrib alone is not enough.
Step 1 — Select the USB drive as the scan location.
Open Ritridata and choose your USB drive from the list of available drives. Do not select a folder on your system drive.
Step 2 — Run a safe scan.
Start the scan. Ritridata reads the drive without writing to it, so no data is modified during the process.
Step 3 — Preview results and recover to a different drive.
Browse the scan results. Preview files where possible to confirm they are intact. Select the files you want to keep and save them to a folder on your computer — not back to the infected USB drive.
FAQ
Are my files permanently deleted by the shortcut virus? In most cases, no. The shortcut virus typically hides files by changing their attributes rather than deleting them. If the attrib command restores your files, they were never deleted. In some cases involving more aggressive variants, directory entries may be removed, but the underlying file data often remains recoverable with data recovery software.
Why can't I see my files even after enabling "Show hidden files" in Explorer? The shortcut virus sets the System attribute in addition to the Hidden attribute. Windows hides System-flagged files even when "Show hidden files" is enabled, unless you also uncheck "Hide protected operating system files." If both settings are adjusted and files still do not appear, use the attrib command.
Will running the attrib command damage my files? The attrib command only modifies file attribute flags. It does not read, write, or alter the actual file content. In typical cases it is safe to run. The main risk is accidentally targeting the wrong drive letter — double-check the letter before running the command.
Why does the shortcut virus keep coming back after I remove it? This typically means the virus has also infected the computer the USB was connected to, not just the drive itself. Each time you plug the USB in, the computer re-infects it. Remove the virus from the host computer using antivirus software, then clean the USB drive again.
Can I just format the USB drive to remove the virus? Formatting will remove the virus, but you must recover your files first. Format only after confirming your files are safely copied elsewhere. A Quick Format is sufficient to remove the virus.
Is the shortcut virus dangerous beyond hiding files? Some variants carry additional payloads. Clicking a shortcut (.lnk) file on the infected drive may execute a script that downloads further malware or spreads the infection. Avoid opening any files directly on the infected drive until after it has been cleaned.
Does the shortcut virus affect files already on the computer or only on the USB? The infection primarily targets removable storage. However, some variants can also hide files in shared network folders or on the host computer's drives. After cleaning the USB, scan all drives on any affected computer.
What file types does the shortcut virus typically hide? The virus hides everything — documents, photos, videos, folders — by applying attributes at the directory level. No file type is selectively targeted or protected.