Windows Security · USB Drive Recovery

All Folders Turned into Shortcuts in Windows: How to Fix It

A practical guide for Windows 10 and Windows 11 when folders on a USB flash drive, external drive, memory card, or local disk suddenly become shortcut files.

🛡 Shortcut malware cleanup 📁 Hidden folder recovery 💽 USB, HDD, SSD, SD card ⏱ ~12 min read
Section 01

Folders Turned into Shortcuts in Windows: What It Usually Means

If every folder on a drive suddenly appears as a small shortcut with an arrow icon, the most common cause is shortcut malware. This type of infection usually hides your real folders, creates fake .lnk shortcut files with the same names, and runs a malicious script when you open one of those shortcuts.

⚠️
Important Do not keep opening the shortcut folders. The real folders may still be on the drive, but clicking the fake shortcuts can re-run the infection and spread it to other removable drives.
01

Stop clicking shortcuts

Close File Explorer windows that point to the infected drive and avoid double-clicking .lnk files.

02

Reveal hidden folders

Use File Explorer settings or the attrib command to check whether your real data is hidden.

03

Scan and clean

Run Microsoft Defender or another trusted scanner against both Windows and the affected drive.

04

Back up safely

Copy only recovered documents, photos, and other real files — not suspicious scripts or shortcuts.

Section 02

How to Recognize a Shortcut Virus on a USB Drive or Disk

The problem often appears after using a USB drive on another computer, copying files from an unknown source, or connecting a memory card to an infected PC. The drive may look almost normal, but the visible folders are actually shortcut files.

📁 Folders have shortcut arrows

Folder icons show the small shortcut overlay, and their properties identify them as Shortcut files instead of real folders.

📄 All items are very small

The fake shortcuts may be only a few kilobytes, while the drive still shows used space in File Explorer.

🧩 Unknown scripts appear

You may see files such as autorun.inf, desktop.ini, .vbs, .cmd, or .js in the drive root.

🔁 The problem returns

If the same drive becomes infected again after cleanup, the Windows computer itself may still contain an active startup entry.

What you see Likely meaning What to do
Folders changed to shortcuts Real folders are probably hidden and fake .lnk files were created. Do not open the shortcuts; reveal hidden folders first.
Drive space is still used Your files may still be present, but marked as hidden or system. Use the attrib recovery command.
Suspicious script files The shortcut may launch a script before opening the real folder. Scan the drive and delete only clearly malicious leftovers after scanning.
New USB drives also get infected Windows may still have malware in startup, scheduled tasks, or user profile folders. Scan the whole PC and check startup locations.
Section 03

First Actions Before Fixing Shortcut Folders in Windows

Treat the affected drive as potentially infected until you finish scanning. The goal is to avoid launching the malware again while still preserving the original files.

  1. Do not double-click any shortcut that appeared unexpectedly on the drive.
  2. Disconnect other USB drives, external disks, cameras, and memory cards from the computer.
  3. Do not copy the fake shortcut files to another computer.
  4. Open File Explorer using Win + E, but avoid running unknown files from the affected drive.
  5. If the drive contains critical business or legal files, make a read-only image or ask a professional recovery service before deleting anything.
💡
Tip If the affected drive is a USB flash drive, write down its current drive letter, for example E: or F:. You will need the correct letter for the recovery command.
Section 04

Show Hidden Files to Check Whether Your Original Folders Still Exist

Shortcut malware often does not delete the original folders. It marks them as hidden and system-protected, then places shortcuts in front of them. First, make Windows show hidden items.

Windows 11

  1. Open File Explorer.
  2. Click View on the command bar.
  3. Select Show and enable Hidden items.
  4. Click Options, open the View tab, and temporarily disable Hide protected operating system files.

Windows 10

  1. Open File Explorer.
  2. Go to the View tab.
  3. Enable Hidden items.
  4. Open OptionsView and temporarily clear Hide protected operating system files.
⚠️
Warning Re-enable Hide protected operating system files after recovery. Keeping system files visible all the time increases the risk of accidental deletion.
Section 05

Recover Hidden Folders with the Attrib Command

If the drive still shows used space but your folders are hidden, use Command Prompt to remove the hidden, system, and read-only attributes from files and folders on the affected drive.

Replace E: with the real drive letter of your affected drive. You can check it in This PC. Do not run the command against the wrong drive by mistake.
  1. Connect the affected drive to a computer that has antivirus protection enabled.
  2. Open Start, type cmd, right-click Command Prompt, and choose Run as administrator.
  3. Run the command below, changing the drive letter first.
Command Prompt — replace E: with your drive letterattrib -h -r -s /s /d E:\*.*

After the command finishes, open the drive again. The original folders should become visible. If you see both real folders and fake shortcuts, open only the real folders. Do not open the shortcut copies.

Good sign If the recovered folders have normal sizes and open without launching a shortcut, copy your important files to a clean location before continuing with deeper cleanup.
Section 06

Scan the Infected Drive and Remove Shortcut Malware

Recovering hidden folders is not the same as removing the infection. You still need to scan the computer and the affected drive. Otherwise, the shortcuts may return after the next reboot or when you connect another USB drive.

Method 01

Microsoft Defender Full Scan

Use Windows Security to scan the entire PC and the connected drive. This is the safest first pass for most users.

Recommended first
Method 02

Microsoft Defender Offline Scan

Run an offline scan if the malware keeps returning, closes security tools, or hides itself while Windows is running.

For persistent malware
Method 03

Second-opinion scanner

Use another trusted scanner if Defender removes something but the drive still creates shortcuts again.

Optional check

Run a Full Scan in Windows Security

  1. Open Start and search for Windows Security.
  2. Open Virus & threat protection.
  3. Click Scan options.
  4. Select Full scan and start the scan.
  5. After that, scan the removable drive directly from File Explorer if the option is available in the context menu.

When to use Microsoft Defender Offline

Use Microsoft Defender Offline scan if suspicious scripts return after deletion, new drives become infected automatically, or security tools close unexpectedly. Save your work first because Windows will restart.

Section 07

Delete Malicious Shortcuts, Autorun Files, and Script Leftovers

After scanning, you can remove obvious remnants from the affected drive. Be careful: delete fake shortcuts and suspicious scripts, not your recovered folders.

Items that are often safe to remove after recovery

🧯
Be careful Do not delete normal documents, photos, archives, project files, or folders whose names and sizes match your real data. If in doubt, copy the recovered data to another clean drive before manual cleanup.

You can also use Command Prompt to list shortcut and script files on the affected drive before deleting anything: 

List suspicious file types — replace E: firstdir E:\*.lnk /a

dir E:\*.vbs /a

dir E:\*.js /a

dir E:\*.cmd /a

dir E:\autorun.inf /a
Section 08

Check Windows Startup if Shortcut Folders Keep Coming Back

If the same drive gets infected again immediately, the malware may still be launching from the Windows user profile, Startup folder, Registry, or Task Scheduler. Check these areas only after running antivirus scans.

Area to check What to look for How to open it
Task Manager startup list Unknown entries with blank publishers or random names. Press Ctrl + Shift + Esc, then open Startup apps.
Startup folder Unexpected shortcuts, scripts, or executable files. Press Win + R and run shell:startup.
Task Scheduler Tasks that run scripts from temporary folders, user profile folders, or removable drives. Search for Task Scheduler in Start.
Temporary folders Suspicious scripts or executables with recent modification dates. Press Win + R and run %temp%.
🚫
Do not guess in Registry If you are not sure what an entry does, do not delete it manually. Export a backup first or use a reputable malware removal tool. Removing the wrong startup or Registry item can break normal software.
Section 09

When You Should Back Up Files and Format the Drive

If the affected drive is removable, formatting it after recovery is often the cleanest final step. Format only after you have copied the real files to a safe location and scanned that backup location.

Format the drive if

  • The shortcut files return after manual deletion.
  • The drive root contains many unknown scripts.
  • The drive was used on several infected or unknown computers.
  • You already recovered and backed up the important files.

Do not format yet if

  • The only copy of important files is still on the affected drive.
  • The drive shows used space but folders are still not visible.
  • The drive has file system errors or asks to be formatted before opening.
  • You need professional data recovery from the device.

How to format after recovery

  1. Copy recovered files to a clean folder on another drive.
  2. Scan the copied files with antivirus software.
  3. Open This PC.
  4. Right-click the affected removable drive and choose Format.
  5. Use exFAT for broad compatibility or NTFS for Windows-only storage with permissions and large files.
  6. After formatting, copy back only clean, recovered files.
Section 10

How to Prevent Folders from Turning into Shortcuts Again

Shortcut malware spreads mostly through removable drives and careless execution of scripts. Prevention is mainly about keeping automatic execution disabled, scanning unknown drives, and avoiding suspicious shortcuts.

Show file extensions in Windows

  1. Open File Explorer.
  2. In Windows 11, choose ViewShowFile name extensions.
  3. In Windows 10, open the View tab and enable File name extensions.
Section 11

FAQ: Folders Became Shortcuts in Windows

Q Are my files deleted if folders turned into shortcuts?
Not always. In many cases, the real folders are still on the drive but hidden with system attributes. If the drive still shows used space, try revealing hidden files and running the attrib command before formatting.
Q Can I just delete all shortcut files?
You can delete fake .lnk files after you recover the original folders and scan the drive. Do not delete unfamiliar items blindly if you are not sure whether they are part of your data.
Q Why does the shortcut virus come back after I clean the USB drive?
The Windows computer may still have malware in startup, scheduled tasks, temporary folders, or the user profile. Scan the whole PC, not only the removable drive.
Q Should I format the USB drive immediately?
Format only after recovering and backing up your real files. If the drive contains the only copy of important data, recover first, scan the recovered data, and format only as the final cleanup step.
Q Does this problem affect Windows 10 and Windows 11 the same way?
Yes. Shortcut malware can affect removable drives on both Windows 10 and Windows 11. The interface for showing hidden files is slightly different, but the recovery and scanning logic is the same.

Final Recommendation

When folders turn into shortcuts, do not assume the files are gone. First stop opening shortcuts, reveal hidden folders, run the attrib command with the correct drive letter, scan both the drive and Windows, then delete fake shortcuts and suspicious scripts. If the drive is removable, back up clean recovered files and format the drive as the final safety step.