HWZ Forums

Login Register FAQ Mark Forums Read

Wscript.exe virus

Share This Page
HardwareZone.com on Facebook
Reply
 
LinkBack Thread Tools
Old 24-08-2013, 10:35 AM   #1
Great Supremacy Member
 
Swordsman's Avatar
 
Join Date: Jan 2002
Posts: 56,150
Wscript.exe virus

How do i get rid of the virus or malware ?

i close it, everytime restart it appears, then my anti virus will block some url that this wscript.exe is opening..

It affects my thumbdrive also.

duplicating tons of shortcut folders..
Swordsman is offline   Reply With Quote
Old 25-08-2013, 10:55 AM   #2
Great Supremacy Member
 
Swordsman's Avatar
 
Join Date: Jan 2002
Posts: 56,150
no one kena before and managed to remove it ?
Swordsman is offline   Reply With Quote
Old 27-08-2013, 04:09 PM   #3
Junior Member
 
ctingyee's Avatar
 
Join Date: Jun 2011
Posts: 80
I don't think wscript.exe is virus but I think it was called/used to run the nasty scripts every time you start up the computer.

Can you disable the start-up items that you don't recognize or run by wscript at Run->msconfig->Startup?
ctingyee is offline   Reply With Quote
Old 27-08-2013, 05:10 PM   #4
d3n
Arch-Supremacy Member
 
d3n's Avatar
 
Join Date: Aug 2003
Posts: 14,947
Google
__________________
About Love Production - Pre Wedding, Events & Travel Photography Service -> http://www.aboutlove.sg
d3n is offline   Reply With Quote
Old 28-08-2013, 01:13 PM   #5
Senior Member
 
_Dave_'s Avatar
 
Join Date: Jul 2013
Posts: 631
think i faced this before. i deleted wscript.exe on the thumbdrive, and then created an empty file and named it wscript.exe. somehow, i think this virus checks for the presence of this file - if not present, infect. if present, skip.
_Dave_ is offline   Reply With Quote
Old 15-09-2013, 11:37 PM   #6
Member
 
Join Date: Mar 2008
Posts: 119
Not sure if you solved the problem yet.
I had a thumbdrive given to me and my 2 pcs got infected by this "shortcut" malware (some called it trojan - i.e. very dangerous)
Basically, the malware hides all your files and displays only shortcuts to them.
When you click on the shortcut, you unknowingly run a script (in my case 3 files with similarly names like FB_7649.tmp.vbs being one of them).
This then infects the host pc. So whenever you plug in a good thumbdrive, it will immediately infect it.
It was extremely annoying and it took me almost the last 4 days trying to rid it.
I finally got rid of the last of it.
If yours is not solved yet, perhaps I will spend the time to trace the steps that I took since it was a lot of trail and error and complicated.


no one kena before and managed to remove it ?
chap88 is offline   Reply With Quote
Old 31-03-2014, 05:54 PM   #7
Senior Member
 
Join Date: May 2013
Posts: 809
Not sure if you solved the problem yet.
I had a thumbdrive given to me and my 2 pcs got infected by this "shortcut" malware (some called it trojan - i.e. very dangerous)
Basically, the malware hides all your files and displays only shortcuts to them.
When you click on the shortcut, you unknowingly run a script (in my case 3 files with similarly names like FB_7649.tmp.vbs being one of them).
This then infects the host pc. So whenever you plug in a good thumbdrive, it will immediately infect it.
It was extremely annoying and it took me almost the last 4 days trying to rid it.
I finally got rid of the last of it.
If yours is not solved yet, perhaps I will spend the time to trace the steps that I took since it was a lot of trail and error and complicated.
Anyone kena before .. mind sharing how you get rid of the virus ??
Mighty_Orange is offline   Reply With Quote
Old 31-03-2014, 07:42 PM   #8
Senior Member
 
Join Date: Jan 2000
Posts: 1,202
Restart your PC in safe mode with networking.

Try this: https://www.malwarebytes.org/

Followed by Hitman Pro: HitmanPro 3 - SurfRight

Use the free version / 30 day trial would do.

I think together they probably can detect 99% of malware out there.

Many malware use wscript.exe from Microsoft or pretend to be it.

After you clean up your system, remember to install a good antivirus and give it one more full scan. I recommend Avast (free), Avira (free), Kaspersky (paid) or Bitdefender (paid).

Once your base system is clean, Disable all autoruns in Windows: http://www.disableautorun.com/

Important: Also scan all your removable USB thumb drives and portable HDD since they may be infected.

Scan and clean all your USB thumb drives and portable HDDs one-by-one. Repeat scans with MalwareBytes, Hitman Pro 3 and your installed antivirus (with latest virus signature database update).

Immunization prevents a re-infection of an USB drive.

Immunize your USB thumb drives/HDDs: Bitdfender USB Immunizer or Panda USB Vaccine

A more comprehensive guide: http://malwaretips.com/blogs/malware...e-for-windows/

Last edited by ykgoh; 31-03-2014 at 08:02 PM..
ykgoh is offline   Reply With Quote
Old 01-04-2014, 11:55 PM   #9
Senior Member
 
Join Date: Jan 2000
Posts: 1,202
Looks like the malware TS describes.

VBScript “shortcuts” virus removal | Security on Steroids
ykgoh is offline   Reply With Quote
Old 06-04-2014, 07:31 PM   #10
Member
 
Join Date: Mar 2008
Posts: 119
To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.
chap88 is offline   Reply With Quote
Old 07-05-2014, 06:33 PM   #11
Great Supremacy Member
 
Swordsman's Avatar
 
Join Date: Jan 2002
Posts: 56,150
To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.
thanks but i need days to understand this. lol.
Swordsman is offline   Reply With Quote
Reply
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.


Thread Tools

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Samsung
Rewards