In this tutorial, I'll be removing a worm that hides files and create shortcuts on all files located at the root directory of any external drives.
MD5 - bf42cc6bdab6539b6d4e5126ec66fdf4
Virustotal scan
Worm script.
Here is what the worm does to your external drives.
First, we have to terminate the malicious WScript.exe process used by the worm. Note that not all VBS files are malicious in nature.
You may use any of the following to terminate a process.
- Task Manager
- System Explorer
- Process Explorer
- DTaskManager or any similar utility
- TASKKILL
Right-click on WSCRIPT.EXE and End Process.
or you can use TASKKILL. The systax is:
TASKKILL /F /IM WSCRIPT.EXE
Using Windows Task Manager to terminate a process.
Highlight wscript.exe and click on End Process.
Deleting the Startup entry from the
Startup folder.
Right-click on VBS_WORM (50).vbs and
click Delete Item
Deleting HKLM and HKCU entries.
Right-click on VBS_WORM (50) and
Open Item Key in Regedit
Take note of the location (path) of the worm
first before deleting it in regedit
Delete both HKLM and HKCU Run
entries.
Use Explorer to navigate to the location of the worm
and delete it.
At the CMD Prompt, unhide the hidden files on your
external drives.
In case the worm that infected your system also hides and create
shortcuts of your folders, use the following command instead:
-
G: *
-
ATTRIB -S -H /S /D \*.*
Delete the worm and shortcuts.
Repairing leftover registry
entries.
Copy and paste the following and save it as FIX.REG.
Double click on the file or Merge to the registry file. Click YES when
prompted.
Windows Registry Editor Version 5.00
;BF42CC6BDAB6539B6D4E5126EC66FDF4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-
"VBS_WORM (50)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (50)"=-
"VBS_WORM (50)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (50)]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (50)]
NOTE: This is specific to this strains of worm. In case the worm was
renamed, it uses the new filename as the registry key, so you have to change
FIX.REG accordingly.
Update your antivirus program and perform a
full scan of the computer.
If you find this tutorial useful, please comment, share or email me.
You can also make a donation to my PayPal account to help me continue my work.
Thank you.
WinXPert
To GOD be the glory!
All content ("Information") contained in this report is the
copyrighted work of WinXPert: Virus and Malware Removal.
The Information is provided on an "as is" basis. WinXPert
disclaims all warranties, whether express or implied, to the maximum extent
permitted by law, including the implied warranties that the Information is
merchantable, of satisfactory quality, accurate, fit for a particular purpose or
need, or non-infringing, unless such implied warranties are legally incapable of
exclusion. Further, WinXPert does not warrant or make any representations
regarding the use or the results of the use of the Information in terms of their
correctness, accuracy, reliability, or otherwise.
Copyright © 2015 Arnaldo Austria. All rights reserved. All other
trademarks are the sole property of their respective owners.
Hi! I'd just like to say thanks because I got rid of the virus thanks to this post!! The virus I got was named microsoft excel.wsf tho, but it's basically the same thing. Will make some of my friends with the same virus try this method out. :D
ReplyDelete