Shortcut Virus

Hi there people,

i tried searching through the forum but yielded no results.
Some of my files but not all, on my external hard drive that i use for basic backup transformed into shortcuts, and also only the imporant files are affected. i guess it’s mallware? but nothing seems to be able to solve it. bunch of antiviruses free and paid, also tried recovering with recuva, easeus and win file recover with no success.
I can see the files in the folder, size of folder is 76gb - size on disk is 130gb.
Also tried to clean the registry but there was nothing in it to clean.

has anyone met with this type of situation? maybe someone has some pointers?

google/youtube solutions don’t function at all, cmd also.


It may not be that bad, but maybe even worse :anguished:

Assuming you’ve simply copied these files over from your PC, you may have a case of “drive-too-small-itus”, where the reported size of the drive does not match the actual size of said drive :roll_eyes: So, instead of actually moving data from your PC to the drive, Win-OS created a shortcut to the original file on your PC.

Anyway, you could try accessing the files from a Linux system and see if it shows up as they should.


if they are actual short cuts then its likely someone tried to drag and drop/delet multiple files/folders but clicked create shortcut instead.
you should be able to just delete them…

go to search, type * .* (no space) .
then order the results by type.
all the icons should be grouped together…
look at there date and time…
are they all the same?
then likely the mistake described above.

if your files have been physically changed and they have had a short cut added to there icon…
then submit one or more samples to virus total. and hope it spits out a solution.


i’m guessing this is what happened. Files were deleted from the root folder(desktop) by the pc user(a colleague of mine).

I tried scanning the c drive with every possible software but it doesn’t show anything at all from affected projects. I’m guessing they used shift+del, even though they swear not to :slight_smile:

Anyway thanks for the reponses, i was hoping to help them, but maybe a valuable lesson for chaotic work habit :slight_smile:

So when files are saved, the computer writes the data to the drive, and adds an entry to the file allocation table.
by default, when deleted, the record in the table is removed, and the file itself is left there, and can be over written if the space is needed later.

Photorec or similar might be able to recover the data files, but might not match the filename up with the file.

If it is malware, then perhaps the file was overwritten, in which case, maybe SOL…

1 Like

If the files are still there and they only got their extensions changed you could try to change the extension back to the proper one and see what happens. This is something I’ve never seen in my life and hopefully never will!

Also on Google there are lots of results to siff from. But I wouldn’t advise you to try them directly on the affected files. Make a copy of them and give a try to what’s people suggesting. Never forget to check what you’re doing before doing it and make sure to understand it. If you don’t never follow interenet guides.

1 Like

i thought about this but seems like the whole file is changed, not just an extension. it acts as a shortcut. what it doesn’t make sense to me is that why arent all the files like that, only some of them.
Since all was copied at once i would assume if it was a mistake of unintentional shortcut copy, all of the files would have been shortcuts.

I’m still trying to figure it out and yes, on copied files. But the thing is when i copied the complete folder there is a size difference in the shortcuts. ex. original location would be almost 1mb, and new copy will be 2kb :smiley:

I was thinking of trying some tool that i saw on softonic site “shortcut virus remover tool”, but it looks sketchy to say the least, it has 20000 downloads, but still…

i’ll be going through it this evening and if i manage to find something, will write an update.

1 Like

Yeah, it’s extremely weird.

NEVER EVER download ANYTHING from Softonic! It’s extremely dangerous and they’re not a reliable source for Software!

1 Like

:smile: Agree about softonic :smiley: i was thinking about sending the drive to a recovery company, but it’s only one in my country and their schedule is… like it is. we’ll see what tomorrow brings :smiley:

I was going through easeus guide and tried the cmd thing on a copy of the folder, but it only deleted the shortcuts and nothing brought back :smiley: so i’m hesitant to try it on the original folder :smiley:

Let’s start with some basics…
What is the make and model of the destination drive?
Also, where was the drive sourced sourced from? There are countless sketchy listings on Amazon. (Your best bet when buying storage is when it is shipped and sold by Amazon)

I solved it by sending it to a facility here, they managed to bring back the 2 projects that were important.
Drive is no longer in function at all, but it was I believe western digital 8tb red.


At least you got your data back!
I’d hope we all know the drill about backups…

1 Like

As long as we don’t succumb to " do it later itus"
Neglecting to regularly backup , theres only one person to blame.


On the importance of backups,
I just finished a repair for a client who recently suffered a debilitating stroke.
Their system security was a bit on the anal side.
Swapped the hdd to a new machine, then the fun began🙄
Of course swapping to a new machine is a fresh install of winhosed🤬10
So break out the forensic software and find
3 levels of security plus encryption
He remembered the hdd password and the encryption code, and file level password but the os password was a different story.
Without buying the subscription for the rainbow tables, win7 and beyond is a lost cause.
Poor fellow was in fits with frustration.

6 hours later his wife remembered she had written the password down and put it in the safe.
Yay access granted!:smile:
Anyhow no backup scheme or copies!
I gave them an external usb hdd and set up an automatic backup scheme.

You would think someone would be cautious enough to back up data when they consider it important enough for 3 level security.
It would have saved a lot of work.

Now happy customer,
tired me,
ugh i need a beer or 6​:beer::beer::beer::beer::beer::beer:


Unfortunately, health issues are very problematic when it comes to safety. A person dies, a person loses his memory, or whatever impairs his ability to decipher.

Once there was a case of an admin in a library who was the only one who knew the password to access an important system that is encrypted. One day he died while driving to work and no one knew the password… The library was asking people for help in cracking the password but I don’t remember how it ended.

When securing your secret porn collections, you must also consider the vectors of losing the ability to freely decrypt these data, and unfortunately almost no one does. :wink:

Most of the time you can put it in as a slave drive and recover files using recuva in puppy linux
But my preference is cyborg hawk linux
Or even an external docking station and good forensic distros

My recovery machine had no internet connection in case a suspect drive contained virus infections.
It was easy to maintain redundant cloned os drives.
If a suspect drive did contain a virus it was simple to wipe the os drive, install a clone and clone it at a later date to a clean drive.

This is a lot easier if you use hot swap trays.
Shut down, swap tray, and reboot.
Very little downtime.