View Single Post
Old 06-04-2014, 07:31 PM   #8
chap88
Member
 
Join Date: Mar 2008
Posts: 126
To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.
chap88 is offline   Reply With Quote