Ultimate Guide in Removing VBS Worms
In this tutorial, I'll be talking about a quick way of removing computer malware specifically the VBS worms. Removal involves the following steps:
- Terminating the malicious process
- Removal of the startup entries associated with the worm
- Deletion of the VBS file including its drop files
VBS worms comes in different shapes and sizes. Some are easy to read while most of the strains now are encripted so it's content are not easily readable. Some strains are simply annoying like infecting all external drives inserted in an infected system, to creating shortcuts. Some are even written to steal passwords. Whatever the strain is, disinfection and removal can be performed using the above three steps mentioned above.
How I arrived on which files other than the VBS worms are to be deleted are based my quick analysis. I simply reverse the effect the worm may have on an infected system. There's no need for me to do a very comprehensive analysis since majority of the worms are already detected by commrcial antivirus solutions. There's no need to reinvent the wheel. My approach is to make your scanning effective by terminating any malicious process there is before doing a full scan since most AVs available can repair whatever a VBS worm may have done in the Windows registry.
Specifics in removing known or unknown strains will be covered in future tutorials.
Terminating the malicious process
Majority of the VBS worms I encountered i.e. about 98% I've analyzed can be stopped by killing the wscript.exe process. Less than a handful of samples assembles an executable file when first run and execute that file instead everytime Windows starts.Using Windows Task Manager
Assuming that Task Manager is not disabled by the worm, the easiest solution is to use it to terminate the malicious process.
 |
| Using taskman to terminate the vbs worm process |
Highlight wscript.exe process and click on the End Process button.
Using taskkill
Another approach is to use taskkill.exe at the CMD prompt.
taskkill /f /im wscript.exe
 |
| Using taskkill to terminate the vbs worm process |
Using a 3rd party alternative to Windows Task Manager
So far, this is the best solution since these utilities have a lot more to offer compared to the plain vanilla taskman. There are many great alternatives, both commercial and freeware. Since I'm familiar with System Explorer and DTaskmanager, I'll be using either of the two in my manual removal instructions. Both tools are freeware by the way. |
| Using System Explorer to terminate the vbs worm process |
 |
| Using DTaskmanager to terminate the vbs worm process |
Just like in taskman, highlight wscript.exe and terminate the process. Notice that you have more options with DTaskmanager. Unlike taskman, you can see the VBS file name and its path within System Explorer.
Removal of the startup entries associated with the worm
There are more than one way to skin a cat. Same with malware removal. You can use regedit or use a registry script to delete the startup sntries used by the VBS Worm or use other tools to make the job easier, especially if you are not familiar with regedit. Here is a list of some of the tools:- msconfig (there are better alternatives)
- HijackThis
- Hijack Hunter
- Autoruns
- CCleaner
- System Explorer, etc.
Using CCleaner
Launch CCleaner and go to Tools | Startups. Highlight the entry and click the Disable or Delete button.
 | ||
| Using CCleaner to delete or disable the vbs worm startup entry |
Click OK.
Using System Explorer
 |
| Using System Explorer to delete the vbs worm startup entry |
Launch System Explorer. Go to the Autoruns tab. Right click on the Windows Script Host entry and select Delete Item.
Watch the video on how to remove a vbs worm
How to manually remove a vbs worm
To be continued...
No comments:
Post a Comment