Worm:VBS/Agent

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Note: disinfection will remove the malicious VBS files (including files detected in the Alternate Data Stream) but will not repair system damage inflicted by the malware.

Caution: Manual disinfection is recommended only for advanced users.

1. Run a full computer scan and clean all the threats
2. Press Start -> Run -> typeregedit
Open HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell

- Delete registry key explore and open

3. Press Start -> Run -> type

cmd cd \ del *.lnk

Repeat for other drives, if any.

- Unhide windows folders attrib -s -h Windows attrib -s -h "Program Files" attrib -s -h "Documents and Settings" Run attrib -s -h for other necessary files and folders set as system and hidden.

4. In regedit, replace these values with their originals:

From: 
HKLM\SOFTWARE\Classes\regfile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\regfile\shell\open\command\: 
"regedit.exe "%1"" 				
 From: 
 HKLM\SOFTWARE\Classes\batfile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\batfile\shell\open\command\: 
""%1" %*" 				
 From: 
HKLM\SOFTWARE\Classes\chm.file\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\chm.file\shell\open\command\: 
""C:\WINDOWS\hh.exe" %1" 				
 From: 
HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\: 
""%1" %*"
From: 
HKLM\SOFTWARE\Classes\hlpfile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\hlpfile\shell\open\command\: 
"%SystemRoot%\System32\winhlp32.exe %1"
From: 
HKLM\SOFTWARE\Classes\inffile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\inffile\shell\open\command\: 
"%SystemRoot%\System32\NOTEPAD.EXE %1"
From: 
HKLM\SOFTWARE\Classes\inifile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\inifile\shell\open\command\: 
"%SystemRoot%\System32\NOTEPAD.EXE %1"
From: 
HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:

HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: 
"%SystemRoot%\system32\NOTEPAD.EXE %1"
From: 
HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" OIE " To:

HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: 
""C:\Program Files\Internet Explorer\iexplore.exe" %1"
From: 
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: 
"%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:1212864906.vbs" OIE " To: 
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: 
""C:\Program Files\Internet Explorer\iexplore.exe""

From: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue: 0x00000003 To: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue: 0x00000002
From: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000002 
To: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001

5. Remove the autorun:

HKU\S-1-5-21-1390067357-1275210071-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: 
""C:\WINDOWS\system32\smss.exe:1212864906.vbs""

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note: You need administrative rights to change the settings.

Classification

Summary

Removal

Technical Details

Activity

Worm:VBS/Agent

Classification

Summary

Removal

Automatic action

Manual action

Suspect a file is incorrectly detected (a False Positive)?

Technical Details

Activity