Removal instructions for VBS_WORM (44)
Related tutorials with screenshots:
How to Remove a VBS Worm
Ultimate Guide in Removing VBS Worms
How to block or prevent malware from running
How to terminate a process
Analysis:
Type of file: VBSFile
Description:
Location: C:\Users\WinXPert\AppData\Local\Temp\
Size: 14269 b
MD5: 3EC0820E9AC679BBB68F1BE88937FB5D
Keys added:
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
HKLM\SOFTWARE\VBS_WORM (44)
Values added:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (44): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (44).vbs""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBS_WORM (44): "wscript.exe //B "C:\Users\WinXPert\AppData\Local\Temp\VBS_WORM (44).vbs""
HKLM\SOFTWARE\VBS_WORM (44)\: "false"
Files added:
%Temp%\VBS_WORM (44).vbs
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VBS_WORM (44).vbs
F:\VBS_WORM (44).VBS
F:\File.lnk
F:\Folder.lnk
Files [attributes?] modified:
F:\File.lnk
F:\Folder.lnk
Manual Removal Instructions for VBS_WORM (44):
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Make sure you create a System Restore point before proceeding:
1. Use Task Manager to terminate the malicious process wscript.exe.
2. Delete the VBS_WORM (44).VBS from these locations.
%Temp%
Startup folder
Root directory of USB drives
Tutorial: How to delete startup entries
3. Repair the registry using this reg script. Note that registry key VBS_WORM (44) is random and takes the filename of the vbs file.
Windows Registry Editor Version 5.00
;3EC0820E9AC679BBB68F1BE88937FB5D
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (44)"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBS_WORM (44)"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
[-HKEY_LOCAL_MACHINE\SOFTWARE\VBS_WORM (44)]
4. Delete all *.lnk located at the root directory of your external drives. Replace DRIVE with the correct drive letter assignment of your external drives.
DEL DRIVE:\*.LNK
5. Unhide all hidden files and folders using this commands: Replace DRIVE with the correct drive letter assignment of your external drives.
ATTRIB DRIVE:\*.* -S -H /S /D
6. Update your antivirus program and perform a full scan of the computer.
All my tutorials are based on my own research. If you find this tutorial useful, please comment or share. You can also help fund my continued work by making a donation. Thank you and GOD bless!
No comments:
Post a Comment