Remove Shortcut Virus IEXPLORE.VBS From Flash Drive And Computer

Question

I got infected by this virus through my USB drive yesterday. It took me three hours to figure out how to remove it. So I wanted to share my steps.

Symptoms: The worm creates shortcuts for any files and folders placed onto the USB drive and makes the original files invisible.

The created shortcuts point to the following path:

C:\Windows\system32\cmd.exe /c cls&cls&cls&cls&cls&cls&cls&start weiche.JPG&cls&cls&cls&cls&cls&cls&start iexplore.vbs&cls&cls&cls&cls&cls&cls&exit

Anti-Malware tried: I ran a scan with the following tools, none of them detected the worm:

Microsoft Security Essentials

Malwarebytes

Hitman Pro

ADWCleaner

TDSSKiller

Norton Power Eraser

Microsoft Safety Scanner

Solution:

1. Kill wscript.exe in task manager
2. Remove iexplore.vbs from startup (it created three different entries)
3. Make files on USB drive visible: Open cmd, type attrib -h -r -s /s i:\*.* (with i: being your drive letter)
4. Delete those files on USB drive and format just to be sure
5. Go to C:\Users{user}\AppData\Roaming\Internet Explorer\ and delete it. The folder seems to be empty but inside sits iexplore.vbs

Good luck.

Answer 1

Thank you for providing the community with the solution on how you removed this infected, I'm sure it'll come in use :)

Answer 2

I got infected by this virus through my USB drive yesterday. It took me three hours to figure out how to remove it. So I wanted to share my steps.

Symptoms: The worm creates shortcuts for any files and folders placed onto the USB drive and makes the original files invisible.

The created shortcuts point to the following path:

C:\Windows\system32\cmd.exe /c cls&cls&cls&cls&cls&cls&cls&start weiche.JPG&cls&cls&cls&cls&cls&cls&start iexplore.vbs&cls&cls&cls&cls&cls&cls&exit

Anti-Malware tried: I ran a scan with the following tools, none of them detected the worm:

Microsoft Security Essentials

Malwarebytes

Hitman Pro

ADWCleaner

TDSSKiller

Norton Power Eraser

Microsoft Safety Scanner

Solution:

1. Kill wscript.exe in task manager
2. Remove iexplore.vbs from startup (it created three different entries)
3. Make files on USB drive visible: Open cmd, type attrib -h -r -s /s i:\*.* (with i: being your drive letter)
4. Delete those files on USB drive and format just to be sure
5. Go to C:\Users{user}\AppData\Roaming\Internet Explorer\ and delete it. The folder seems to be empty but inside sits iexplore.vbs

Good luck.

erm, this didn't work for me. i killed the wscript.exe. removed iexplore.vbs from startup, and deleted the folder. still, after restarting, the wscript tried to call the iexplore.vbs script. :(

still infected

Answer 3

Did you follow step 3 and 4?

It's inevitable to clean your flash drive that way, otherwise you'll get reinfected the next time you insert it.

Answer 4

Did you follow step 3 and 4?

It's inevitable to clean your flash drive that way, otherwise you'll get reinfected the next time you insert it.

erm, my drive wasn't visible on my CMD. Drive's name was E: in my case. So, i went on and did a full format (mind you, not quick format. the long waiting format), cz i really didn't have important files on them. so, i figured that solved it.

i haven't inserted my USB after that. after formatting i removed the USB, and continued with removing the iexplore.vbs files, stopping related startup processes, etc... I'll keep you posted in case the USB hasn't been cleaned up. right now, im backing up everything on my hard-drive just in case.

/thanks

Answer 5

I like your method. There's also an interesting tool available

UsbFix 7.902

http://www.en.usbfix.net/

~bhringer