Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Files and folders on external storage replaced with .lnk files

  • Please log in to reply
1 reply to this topic

#1 theagentman


  • Members
  • 1 posts
  • Local time:08:42 AM

Posted 17 December 2014 - 11:31 AM


I'm running Windows 8.1 64 bit.

When I plug in an SD card or USB drive into my computer all the files and folders are replaced with .lnk files with the same name as the original. In addition, all the files and folders are hidden, and I don't seem to be able to unhide them.

This does not happen every time I plug it in, but it happens fairly often. The motive behind the lnks is clear when I look at its properties. Here is an example of what one looks like replacing a file named splash.lua: 

%SystemRoot%\system32\cmd.exe /c "start %cd%splash.lua & start %cd%wyNdYUwEdFccnce.exe & exit"

It is starting another hidden file which is the virus.

I've run full scans with Malwarebytes AntiMalware, and Avast free Antivirus, but they found nothing. I even tried Malwarebytes AntiRootkit, and it found nothing either.


Possibly related to this, a folder appeared in the root of  both my hard drive partitions called $Recycle.Bin. I've heard of other people with this identifying it as malware, so I figured I should mention it.


However, the thing that worries me most is that if I didn't notice that the files were .lnks, I would have no idea anything fishy is going on at all. My antiviruses said nothing, and there's no reason to think I would have a virus.

Is there anyway to be sure there is no malware at all after I take care of it? For all I know, someone could be recording all my passwords and everything I type and I would have no idea.

Thank you very much.


BC AdBot (Login to Remove)


#2 pyroclastic


  • Members
  • 10 posts
  • Gender:Male
  • Local time:02:42 PM

Posted 21 December 2014 - 05:37 PM

Seeing that no one responded to your topic yet, I'd suggest you open another one in http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/



I would approach your problem using Farbars Recovery Scan Tool, but as per forum rules I can't give you instructions regarding that on this forum, so I can't help you in that regard in this topic.


When you create another topic in the other forum section you could include a report from USBFix: http://www.en.usbfix.net (alternate download: http://www.infospyware.com/utiles/usbfix/ click "descargar").

Once downloaded start it as administrator (right click > run as admin) and when prompted connect your drives containing .lnk files. After that click 'research'. When completed a report will open (can also be found at C:\usbfix.txt). Post that one to your new topic. 

You can open USBFix once again and this time press 'listing'. It will create another report detailing your various filesystem root locations. Attach that log file, too.


Best of luck.


edit for typo.

Edited by pyroclastic, 21 December 2014 - 05:42 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users