I have developed a small tool that will aid you to remove VBS malware from a machine or in a network. I made this some months ago when I saw quite a lot of these doing the rounds. The tool is written entirely in batch, should you wonder.
You should run the script in the following sequence, at least on a normal machine: Plug in your infected USB (if any) and choose A, then B and afterwards C. After these steps, perform a full scan with your installed antivirus product or perform an online scan.
Some tips and tricks:
Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).
! When you use option B, be sure to type only the letter of your USB drive! So if you have a USB drive named G:, you should only type G This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again). With option C you can download Panda USB Vaccine to prevent any other autorun malware entering your computer. With option D you have the possibility to disable or re-enable the Windows Script Host (WSH), to prevent any malware abusing it. I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C: drive. (C:Rem-VBS.log) When the tool is running, do not use the machine for anything else. (it takes about 30 seconds to run) Accidentally used an option and want to exit the script? Use CTRL + C to stop it.
You can use this to remedy the following malware:
Excedow Jenxcus Houdini/Dinihu Autorun worms Any other VBS (VBScript) or VBE malware Any other malware that abuses the WSH (Windows Script Host)
What is new in this release:
07/06/2016 - version 8.0.0:
FIXED: issue when executing from drive other than system drive (option A)
IMPROVED: detection of malicious scheduled tasks (option A)
IMPROVED: detection of certain autorun/VBS worms
What is new in version 6.0.0:
23/12/2015 - version 6.0.0:
ADDED: logging of USB device ID
IMPROVED: log output is now completely streamlined and cleaned
IMPROVED: disabling of WSH on Windows XP (option D)
IMPROVED: scanning time (option A)
IMPROVED: detection of certain autorun/VBS worms
What is new in version 5.0.0:
21/10/2015 - version 5.0.0:
ADDED: logging of installed antivirus
ADDED: detection of malicious shortcut links in startup folders
ADDED: malicious VBS files now automatically copied to quarantine for research purposes (on C:Rem-VBSqt)
IMPROVED: handling of files, resulting in almost no false positives now
IMPROVED: detection of certain malware variants using autorun to spread or hiding files
(Fanny worm, Andromeda/Gamarue malware)
IMPROVED: minor code cleanup, minor log output cleanup - greater visibility
9 Comments
ton 27 Feb 16
ดีjimmysteven 31 Aug 16
สุดยอดggggg 20 Nov 16
googsak 12 Jan 17
ขอบคุณครับsing 15 Feb 17
สุดยอดมาก ขอบคุณครับvbs worm delete 26 May 17
ดีมากๆ ครับthak 3 Jun 18
thankWoody 19 Jan 22
Good appgerkpol 22 Aug 22
good