Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
How to Manually Remove VBS Worms
Message
<blockquote data-quote="WinXPert" data-source="post: 257862" data-attributes="member: 4591"><p><span style="font-size: 22px"><strong> Removal instructions for VBS Worms </strong></span></p><p><span style="font-size: 15px"><strong>Based on 20 new worm samples from malwaretips.com</strong></span></p><ul> <li data-xf-list-type="ul"><em>FUD VBS TROYAN AGENT.vbs</em></li> <li data-xf-list-type="ul"><em>VBS TROYAN AGENT (2).vbs</em></li> <li data-xf-list-type="ul"><em>VBS TROYAN AGENT (3).vbs</em></li> <li data-xf-list-type="ul"><em>VBS TROYAN AGENT.vbs</em></li> <li data-xf-list-type="ul"><em>VBSAgent.NDH .vbs</em></li> <li data-xf-list-type="ul"><em>VBSAgent.NDH 2.vbs</em></li> <li data-xf-list-type="ul"><em>VBSAgent.NDH 3.vbs</em></li> <li data-xf-list-type="ul"><em>VBSAgent.NDH 4.vbs</em></li> <li data-xf-list-type="ul"><em>VBSAgent.NDH.vbs</em></li> <li data-xf-list-type="ul"><em>VBSDecode-LG [Trj] 4.vbs</em></li> <li data-xf-list-type="ul"><em>VBSDecode-LG [Trj] .vbs</em></li> <li data-xf-list-type="ul"><em>VBSDecode-LG [Trj] 2.vbs</em></li> <li data-xf-list-type="ul"><em>VBSDecode-LG [Trj] 3.vbs</em></li> <li data-xf-list-type="ul"><em>VBSDecode-LG [Trj] 5.vbs</em></li> <li data-xf-list-type="ul"><em>VBSKryptik.BA .vbs</em></li> <li data-xf-list-type="ul"><em>VBSKryptik.BQ (2).vbs</em></li> <li data-xf-list-type="ul"><em>VBSKryptik.BQ .vbs</em></li> <li data-xf-list-type="ul"><em>VBSKryptik.CC .vbs</em></li> <li data-xf-list-type="ul"><em>VBSTrojanDropper.Agent.NBO .vbs</em></li> <li data-xf-list-type="ul"><em>Worm VBS Dinihou.vbs</em></li> </ul><p></p><p><span style="color: #ffffff"><em><strong>Manual Removal Instructions for VBS Worms: </strong></em></span></p><p></p><p>If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:</p><p></p><p>Make sure you create a System Restore point before proceeding: We'll be using System Explorer in our manual removal process.</p><p></p><p>1. Use <span style="color: #ffffff"><strong>System Explorer</strong> </span>or <span style="color: #ffffff"><strong>taskkill (TASKKILL /F /IM WSCRIPT.EXE)</strong> </span>to terminate the malicious process <strong>(wscript.vbs).</strong></p><p></p><p>2. Delete the <span style="color: #ffffff"><strong>vbs files [random_name]</strong> </span>using the <span style="color: #ffffff"><strong>File Directory Explore</strong></span> in the <span style="color: #ffffff"><strong>Autoruns </strong></span>tab.</p><p></p><p><img src="http://i61.tinypic.com/29ypnh1.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><p> The following are other possible locations of the vbs worms:</p><ul> <li data-xf-list-type="ul"><em>%UserProfile%</em>\Start Menu\Programs\Startup</li> <li data-xf-list-type="ul"><em>%AppData%</em></li> <li data-xf-list-type="ul"><em>%Temp%</em></li> <li data-xf-list-type="ul"><em>%windir%</em></li> <li data-xf-list-type="ul"><em>%windir%</em>\system</li> <li data-xf-list-type="ul"><em>%windir%</em>\system32</li> <li data-xf-list-type="ul">root directory of drives</li> </ul><p>3. Right click on any vbs startup entry and select <span style="color: #ffffff"><strong>Open item in RegEdit</strong>.</span> <span style="color: #ffffff"><strong>Regedit </strong></span>launches, delete the registry entries of all data associated with <strong><span style="color: #ffffff">wscript.exe</span>.</strong> This works best with multiple entries. Do it for both HKCU and HKLM. Refresh <span style="color: #ffffff"><strong>System Explorer</strong> </span>and delete any vbs worm entry you may have missed. You can also delete entries one at a time using <strong><span style="color: #ffffff">Delete Item</span>.</strong></p><p></p><p>4. Repair the rest of the registry by deleting the keys created by the vbs worm. </p><ul> <li data-xf-list-type="ul">At regedit, navigate to <span style="color: #ffffff"><strong>HKLM\Software</strong></span></li> <li data-xf-list-type="ul">Find for the following data by pressing <span style="color: #ffffff"><strong>Ctrl+F</strong></span> and input <span style="color: #00ff00"><strong>false -</strong></span> at the <span style="color: #ffffff"><strong>Find what:</strong></span> check <span style="color: #ffffff"><strong>Data </strong></span>only</li> <li data-xf-list-type="ul">Click the <span style="color: #ffffff"><strong>Find Next</strong> </span>button</li> <li data-xf-list-type="ul">Delete the registry key on all entries where <span style="color: #00ff00"><strong>false -</strong></span> is found</li> <li data-xf-list-type="ul">Press <strong><span style="color: #ffffff">F3</span> </strong>to search for the next occurrence and repeat till you're done.</li> </ul><p><img src="http://i57.tinypic.com/2u7ln9e.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><p>5. Delete the following files in all your external drives and unhide all folders using these commands. The example is for drive <strong>F:</strong>, replace it with the appropriate drive letter in your case.</p><p></p><p><strong>[CODE]F:</strong></p><p><strong></strong></p><p><strong>cd \</strong></p><p><strong>del *.vbs /f /a</strong></p><p><strong>del *.lnk /f</strong></p><p><strong>attrib -s -h /s /d[/CODE]</strong></p><p><strong></strong></p><p>6. Perform a scan using an updated antivirus or with Malwarebytes Antimalware to remove entries our manual removal may have missed.</p><p></p><p></p><p>Visit <a href="http://www.bubblews.com/account/325575-winxpert" target="_blank">WinXPert's BubbleWS Page</a></p><p></p><p>Related articles</p><p><a href="http://www.bubblews.com/news/6267437-vbs-killer" target="_blank">VBS Killer</a></p><p><a href="http://www.bubblews.com/news/5128178-how-to-remove-vbs-worm-using-system-explorer" target="_blank">How to Remove VBS Worm Using System Explorer</a></p></blockquote><p></p>
[QUOTE="WinXPert, post: 257862, member: 4591"] [SIZE=6][B] Removal instructions for VBS Worms [/B][/SIZE] [SIZE=4][B]Based on 20 new worm samples from malwaretips.com[/B][/SIZE] [LIST] [*][I]FUD VBS TROYAN AGENT.vbs[/I] [*][I]VBS TROYAN AGENT (2).vbs[/I] [*][I]VBS TROYAN AGENT (3).vbs[/I] [*][I]VBS TROYAN AGENT.vbs[/I] [*][I]VBSAgent.NDH .vbs[/I] [*][I]VBSAgent.NDH 2.vbs[/I] [*][I]VBSAgent.NDH 3.vbs[/I] [*][I]VBSAgent.NDH 4.vbs[/I] [*][I]VBSAgent.NDH.vbs[/I] [*][I]VBSDecode-LG [Trj] 4.vbs[/I] [*][I]VBSDecode-LG [Trj] .vbs[/I] [*][I]VBSDecode-LG [Trj] 2.vbs[/I] [*][I]VBSDecode-LG [Trj] 3.vbs[/I] [*][I]VBSDecode-LG [Trj] 5.vbs[/I] [*][I]VBSKryptik.BA .vbs[/I] [*][I]VBSKryptik.BQ (2).vbs[/I] [*][I]VBSKryptik.BQ .vbs[/I] [*][I]VBSKryptik.CC .vbs[/I] [*][I]VBSTrojanDropper.Agent.NBO .vbs[/I] [*][I]Worm VBS Dinihou.vbs[/I] [/LIST] [COLOR=#ffffff][I][B]Manual Removal Instructions for VBS Worms: [/B][/I][/COLOR] If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Make sure you create a System Restore point before proceeding: We'll be using System Explorer in our manual removal process. 1. Use [COLOR=#ffffff][B]System Explorer[/B] [/COLOR]or [COLOR=#ffffff][B]taskkill (TASKKILL /F /IM WSCRIPT.EXE)[/B] [/COLOR]to terminate the malicious process [B](wscript.vbs).[/B] 2. Delete the [COLOR=#ffffff][B]vbs files [random_name][/B] [/COLOR]using the [COLOR=#ffffff][B]File Directory Explore[/B][/COLOR] in the [COLOR=#ffffff][B]Autoruns [/B][/COLOR]tab. [IMG]http://i61.tinypic.com/29ypnh1.jpg[/IMG] The following are other possible locations of the vbs worms: [LIST] [*][I]%UserProfile%[/I]\Start Menu\Programs\Startup [*][I]%AppData%[/I] [*][I]%Temp%[/I] [*][I]%windir%[/I] [*][I]%windir%[/I]\system [*][I]%windir%[/I]\system32 [*]root directory of drives [/LIST] 3. Right click on any vbs startup entry and select [COLOR=#ffffff][B]Open item in RegEdit[/B].[/COLOR] [COLOR=#ffffff][B]Regedit [/B][/COLOR]launches, delete the registry entries of all data associated with [B][COLOR=#ffffff]wscript.exe[/COLOR].[/B] This works best with multiple entries. Do it for both HKCU and HKLM. Refresh [COLOR=#ffffff][B]System Explorer[/B] [/COLOR]and delete any vbs worm entry you may have missed. You can also delete entries one at a time using [B][COLOR=#ffffff]Delete Item[/COLOR].[/B] 4. Repair the rest of the registry by deleting the keys created by the vbs worm. [LIST] [*]At regedit, navigate to [COLOR=#ffffff][B]HKLM\Software[/B][/COLOR] [*]Find for the following data by pressing [COLOR=#ffffff][B]Ctrl+F[/B][/COLOR] and input [COLOR=#00ff00][B]false -[/B][/COLOR] at the [COLOR=#ffffff][B]Find what:[/B][/COLOR] check [COLOR=#ffffff][B]Data [/B][/COLOR]only [*]Click the [COLOR=#ffffff][B]Find Next[/B] [/COLOR]button [*]Delete the registry key on all entries where [COLOR=#00ff00][B]false -[/B][/COLOR] is found [*]Press [B][COLOR=#ffffff]F3[/COLOR] [/B]to search for the next occurrence and repeat till you're done. [/LIST] [IMG]http://i57.tinypic.com/2u7ln9e.jpg[/IMG] 5. Delete the following files in all your external drives and unhide all folders using these commands. The example is for drive [B]F:[/B], replace it with the appropriate drive letter in your case. [B][CODE]F: cd \ del *.vbs /f /a del *.lnk /f attrib -s -h /s /d[/CODE] [/B] 6. Perform a scan using an updated antivirus or with Malwarebytes Antimalware to remove entries our manual removal may have missed. Visit [URL='http://www.bubblews.com/account/325575-winxpert']WinXPert's BubbleWS Page[/URL] Related articles [URL='http://www.bubblews.com/news/6267437-vbs-killer']VBS Killer[/URL] [URL='http://www.bubblews.com/news/5128178-how-to-remove-vbs-worm-using-system-explorer']How to Remove VBS Worm Using System Explorer[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top