Guide | How To How to Manually Remove VBS Worms

[WinXPert]

Removal instructions for VBS Worms
Based on 20 new worm samples from malwaretips.com

• FUD VBS TROYAN AGENT.vbs
• VBS TROYAN AGENT (2).vbs
• VBS TROYAN AGENT (3).vbs
• VBS TROYAN AGENT.vbs
• VBSAgent.NDH .vbs
• VBSAgent.NDH 2.vbs
• VBSAgent.NDH 3.vbs
• VBSAgent.NDH 4.vbs
• VBSAgent.NDH.vbs
• VBSDecode-LG [Trj] 4.vbs
• VBSDecode-LG [Trj] .vbs
• VBSDecode-LG [Trj] 2.vbs
• VBSDecode-LG [Trj] 3.vbs
• VBSDecode-LG [Trj] 5.vbs
• VBSKryptik.BA .vbs
• VBSKryptik.BQ (2).vbs
• VBSKryptik.BQ .vbs
• VBSKryptik.CC .vbs
• VBSTrojanDropper.Agent.NBO .vbs
• Worm VBS Dinihou.vbs

Manual Removal Instructions for VBS Worms:

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Make sure you create a System Restore point before proceeding: We'll be using System Explorer in our manual removal process.

1. Use System Explorer or taskkill (TASKKILL /F /IM WSCRIPT.EXE) to terminate the malicious process (wscript.vbs).

2. Delete the vbs files [random_name] using the File Directory Explore in the Autoruns tab.

The following are other possible locations of the vbs worms:

• %UserProfile%\Start Menu\Programs\Startup
• %AppData%
• %Temp%
• %windir%
• %windir%\system
• %windir%\system32
• root directory of drives

3. Right click on any vbs startup entry and select Open item in RegEdit. Regedit launches, delete the registry entries of all data associated with wscript.exe. This works best with multiple entries. Do it for both HKCU and HKLM. Refresh System Explorer and delete any vbs worm entry you may have missed. You can also delete entries one at a time using Delete Item.

4. Repair the rest of the registry by deleting the keys created by the vbs worm.

• At regedit, navigate to HKLM\Software
• Find for the following data by pressing Ctrl+F and input false - at the Find what: check Data only
• Click the Find Next button
• Delete the registry key on all entries where false - is found
• Press F3 to search for the next occurrence and repeat till you're done.

5. Delete the following files in all your external drives and unhide all folders using these commands. The example is for drive F:, replace it with the appropriate drive letter in your case.

F:

cd \
del *.vbs /f /a
del *.lnk /f
attrib -s -h /s /d

6. Perform a scan using an updated antivirus or with Malwarebytes Antimalware to remove entries our manual removal may have missed.


Visit WinXPert's BubbleWS Page

Related articles
VBS Killer
How to Remove VBS Worm Using System Explorer

 

[kiric96]

False valid entries can be found in this part of the registry... so is not recommended to delete them, well for the rest, it is just what I do when I kill vbs malware, just 1 thing:

Is wscript.exe not .vbs

MAKING CHANGES TO REGISTRY MAY SEVERELY HARM YOUR PC... (you may wish to put this as a warning or a "disregard")

 

[WinXPert]

False valid entries can be found in this part of the registry... so is not recommended to delete them, well for the rest, it is just what I do when I kill vbs malware, just 1 thing

be specific, what exactly are the false valid entries you are talking about

Is wscript.exe not .vbs

NO! wscript.exe is a Windows program, while VBS (Visual Basic Script) are just text based script files that contains instructions.

when you double click on a VBS file, it is executed on the fly using wscript.exe. VBS programs may be harmful or useful. I use VBS on my homegrown tools and they are not malicious unlike the samples mentioned above

MAKING CHANGES TO REGISTRY MAY SEVERELY HARM YOUR PC... (you may wish to put this as a warning or a "disregard")

Have you tried infecting your system with those 20 vbs malwares? Try to do that first then tell me if there is harm done to your system after following my removal instructions.

If you were infected, won't you repair your registry too instead of just deleting the vbs files? Common sense that you have to make changes to you registry after an infection in order to reverse the effect of the malwares

 

[kiric96]

be specific, what exactly are the false valid entries you are talking about

• At regedit, navigate to HKLM\Software
• Find for the following data by pressing Ctrl+F and input false - at the Find what: check Data only
• Click the Find Next button
• Delete the registry key on all entries where false - is found
• Press F3 to search for the next occurrence and repeat till you're done

Correct me if i am wrong but you are suggesting that we may erase ALL "false" arguments in the registry, some programs use to leave a false argument to any entry and doesnt mean it was made by a malicious program.

NO! wscript.exe is a Windows program, while VBS (Visual Basic Script) are just text based script files that contains instructions.

when you double click on a VBS file, it is executed on the fly using wscript.exe. VBS programs may be harmful or useful. I use VBS on my homegrown tools and they are not malicious unlike the samples mentioned above

I know what a vbs file is... and as you said the vbs is executed or hosted by a "container" called wscript.exe...so to terminate execution you must finish that process, wscript.vbs is not always the malicious process... it is just like svchost.exe... many process run inside this (..) and some times this can be used to "hide" the malware, but doesnt mean that is necessarily malicious.

Have you tried infecting your system with those 20 vbs malwares? Try to do that first then tell me if there is harm done to your system after following my removal instructions.

If you were infected, won't you repair your registry too instead of just deleting the vbs files? Common sense that you have to make changes to you registry after an infection in order to reverse the effect of the malwares

Actually my last infection was caused by a vbs malware... called avast.vbs by that time it was not detected by most of the AV vendors.... My point was this: IF YOU CHECK ANY TUTORIAL (even microsoft) they put a disregard telling you that is not a good idea to tweak the registry specially for users that doesnt know about pcs so... what i tried to mean is: if the users make another change in this (...) was him/her fault not yours, cuz this "special area of windows is sensible to any changes". THAT WHAT "DISREGARD" means. you can not send a 5 yo child to drive a car... even with instruccions and "how to" it may be a bad idea....

And well i just tried to give my point of view... however i see that you were kind of offended and i ask pardon for that it was no my intention to do so...

 

[WinXPert]

Correct me if i am wrong but you are suggesting that we may erase ALL "false" arguments in the registry, some programs use to leave a false argument to any entry and doesnt mean it was made by a malicious program.

When I analyzed these worms, I never had any registry data with a value of "false - date". Check the screenshots. all registry keys created under HKLM\SOFTWARE are the filenames of the vbs files.

The only way to remove a vbs file is to terminate wscript.exe.

 

[WinXPert]

Based on my analysis, these vbs malwares create registry keys

HKLM\SOFTWARE\filename

with Data = false - MM/DD/YYYY

so removing them won't harm your computer. The name of the registry key created is not hard coded in the script but uses the filename of the vbs file. So if you rename the file as SAMPLE.VBS, it will create HKLM\SOFTWARE\SAMPLE.

o