How to Remove a VBS Worm

In this tutorial, I'll be removing a worm that hides files and create shortcuts on all files located at the root directory of any external drives.

 

MD5 - bf42cc6bdab6539b6d4e5126ec66fdf4

 

Virustotal scan

Worm script.

 Here is what the worm does to your external drives.

First, we have to terminate the malicious WScript.exe process used by the worm.  Note that not all VBS files are malicious in nature.

You may use any of the following to terminate a process.

• Task Manager
• System Explorer
• Process Explorer
• DTaskManager or any similar utility
• TASKKILL

I'll be using System Explorer throughout my manual malware removal tutorials.  You may use any app you like, it's more of a personal preference.

Right-click on WSCRIPT.EXE and End Process.

or you can use TASKKILL.  The systax is:

TASKKILL /F /IM WSCRIPT.EXE

Using Windows Task Manager to terminate a process.  Highlight wscript.exe and click on End Process.

Deleting the Startup entry from the Startup folder.

Right-click on VBS_WORM (50).vbs and click Delete Item

Deleting HKLM and HKCU entries.  

Right-click on VBS_WORM (50) and Open Item Key in Regedit

Take note of the location (path) of the worm first before deleting it in regedit

Delete both HKLM and HKCU Run entries.

Use Explorer to navigate to the location of the worm and delete it.

At the CMD Prompt, unhide the hidden files on your external drives.

In case the worm that infected your system also hides and create shortcuts of your folders, use the following command instead:

• G: *
• ATTRIB -S -H /S /D \*.*

* Change drive letter accordingly.

Delete the worm and shortcuts.

Repairing leftover registry entries.

Copy and paste the following and save it as FIX.REG.  Double click on the file or Merge to the registry file.  Click YES when prompted.

Windows Registry Editor Version 5.00

;BF42CC6BDAB6539B6D4E5126EC66FDF4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (50)]

NOTE:  This is specific to this strains of worm.  In case the worm was renamed, it uses the new filename as the registry key, so you have to change FIX.REG accordingly.

Update your antivirus program and perform a full scan of the computer.

If you find this tutorial useful, please comment, share or email me. You can also make a donation to my PayPal account to help me continue my work. Thank you.

WinXPert

arnaldo.austria@gmail.com

https://www.facebook.com/groups/pinoytechrambo

To GOD be the glory!

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 Arnaldo Austria. All rights reserved. All other trademarks are the sole property of their respective owners.