www.hardwarezone.com.sg

www.hardwarezone.com.sg (/)
-   The Anti-Virus & Internet Security Centre (http://forums.hardwarezone.com.sg/anti-virus-internet-security-centre-297/)
-   -   Wscript.exe virus (http://forums.hardwarezone.com.sg/anti-virus-internet-security-centre-297/wscript-exe-virus-4350264.html)

Swordsman 24-08-2013 10:35 AM

Wscript.exe virus
 
How do i get rid of the virus or malware ? :(

i close it, everytime restart it appears, then my anti virus will block some url that this wscript.exe is opening..

It affects my thumbdrive also.

duplicating tons of shortcut folders..

Swordsman 25-08-2013 10:55 AM

no one kena before and managed to remove it ?

ctingyee 27-08-2013 04:09 PM

I don't think wscript.exe is virus but I think it was called/used to run the nasty scripts every time you start up the computer.

Can you disable the start-up items that you don't recognize or run by wscript at Run->msconfig->Startup?

d3n 27-08-2013 05:10 PM

Google

_Dave_ 28-08-2013 01:13 PM

think i faced this before. i deleted wscript.exe on the thumbdrive, and then created an empty file and named it wscript.exe. somehow, i think this virus checks for the presence of this file - if not present, infect. if present, skip.

chap88 15-09-2013 11:37 PM

Not sure if you solved the problem yet.
I had a thumbdrive given to me and my 2 pcs got infected by this "shortcut" malware (some called it trojan - i.e. very dangerous)
Basically, the malware hides all your files and displays only shortcuts to them.
When you click on the shortcut, you unknowingly run a script (in my case 3 files with similarly names like FB_7649.tmp.vbs being one of them).
This then infects the host pc. So whenever you plug in a good thumbdrive, it will immediately infect it.
It was extremely annoying and it took me almost the last 4 days trying to rid it.
I finally got rid of the last of it.
If yours is not solved yet, perhaps I will spend the time to trace the steps that I took since it was a lot of trail and error and complicated.


Quote:

Originally Posted by Swordsman (Post 78991770)
no one kena before and managed to remove it ?


Mighty_Orange 31-03-2014 05:54 PM

Quote:

Originally Posted by chap88 (Post 79563328)
Not sure if you solved the problem yet.
I had a thumbdrive given to me and my 2 pcs got infected by this "shortcut" malware (some called it trojan - i.e. very dangerous)
Basically, the malware hides all your files and displays only shortcuts to them.
When you click on the shortcut, you unknowingly run a script (in my case 3 files with similarly names like FB_7649.tmp.vbs being one of them).
This then infects the host pc. So whenever you plug in a good thumbdrive, it will immediately infect it.
It was extremely annoying and it took me almost the last 4 days trying to rid it.
I finally got rid of the last of it.
If yours is not solved yet, perhaps I will spend the time to trace the steps that I took since it was a lot of trail and error and complicated.

Anyone kena before .. mind sharing how you get rid of the virus ??

chap88 06-04-2014 07:31 PM

To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.

Swordsman 07-05-2014 06:33 PM

Quote:

Originally Posted by chap88 (Post 84796783)
To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.

thanks but i need days to understand this. lol. :s13:


All times are GMT +8. The time now is 11:44 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright © SPH Magazines Pte Ltd. All rights reserved.