Wscript.exe virus

Swordsman

Greater Supremacy Member
Deluxe Member
Joined
Jan 27, 2002
Messages
87,288
Reaction score
313
How do i get rid of the virus or malware ? :(

i close it, everytime restart it appears, then my anti virus will block some url that this wscript.exe is opening..

It affects my thumbdrive also.

duplicating tons of shortcut folders..
 

Swordsman

Greater Supremacy Member
Deluxe Member
Joined
Jan 27, 2002
Messages
87,288
Reaction score
313
no one kena before and managed to remove it ?
 

ctingyee

Junior Member
Joined
Jun 3, 2011
Messages
90
Reaction score
0
I don't think wscript.exe is virus but I think it was called/used to run the nasty scripts every time you start up the computer.

Can you disable the start-up items that you don't recognize or run by wscript at Run->msconfig->Startup?
 

_Dave_

Senior Member
Joined
Jul 22, 2013
Messages
2,242
Reaction score
2
think i faced this before. i deleted wscript.exe on the thumbdrive, and then created an empty file and named it wscript.exe. somehow, i think this virus checks for the presence of this file - if not present, infect. if present, skip.
 

chap88

Member
Joined
Mar 5, 2008
Messages
107
Reaction score
0
Not sure if you solved the problem yet.
I had a thumbdrive given to me and my 2 pcs got infected by this "shortcut" malware (some called it trojan - i.e. very dangerous)
Basically, the malware hides all your files and displays only shortcuts to them.
When you click on the shortcut, you unknowingly run a script (in my case 3 files with similarly names like FB_7649.tmp.vbs being one of them).
This then infects the host pc. So whenever you plug in a good thumbdrive, it will immediately infect it.
It was extremely annoying and it took me almost the last 4 days trying to rid it.
I finally got rid of the last of it.
If yours is not solved yet, perhaps I will spend the time to trace the steps that I took since it was a lot of trail and error and complicated.


no one kena before and managed to remove it ?
 

Mighty_Orange

Master Member
Joined
May 16, 2013
Messages
2,748
Reaction score
1
Not sure if you solved the problem yet.
I had a thumbdrive given to me and my 2 pcs got infected by this "shortcut" malware (some called it trojan - i.e. very dangerous)
Basically, the malware hides all your files and displays only shortcuts to them.
When you click on the shortcut, you unknowingly run a script (in my case 3 files with similarly names like FB_7649.tmp.vbs being one of them).
This then infects the host pc. So whenever you plug in a good thumbdrive, it will immediately infect it.
It was extremely annoying and it took me almost the last 4 days trying to rid it.
I finally got rid of the last of it.
If yours is not solved yet, perhaps I will spend the time to trace the steps that I took since it was a lot of trail and error and complicated.

Anyone kena before .. mind sharing how you get rid of the virus ??
 

chap88

Member
Joined
Mar 5, 2008
Messages
107
Reaction score
0
To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.
 

Swordsman

Greater Supremacy Member
Deluxe Member
Joined
Jan 27, 2002
Messages
87,288
Reaction score
313
To Mighty_Orange and Swordsman
I have managed to clean my PC. Here is how I did it...a bit lengthy... but that is how i recall doing it. Let me know if it works for you.

The virus file(s) is a VBS script file by the name of FB_CDBB.tmp.vbs (plus 2 other similarly named files).
This virus files needs the windows file wscript.exe to execute itself.
The shortcuts that you see on your thumbdrive are the trigger – when you click on the shortcut, it executes the “wscript.exe FB_CDBB.tmp.vbs ...”
So the problem is really the FB_CDBB.tmp.vbs files and not the wscript.exe (apparently this is a legitimate windows system file).
Search for wscript.exe in the C:
At least 2 (I got 3 in another PC) will show.
If you try to delete them, it will say you don’t have permission.
So, Right-click on each one – properties -> Security tab -> Advanced -> Owner -> Edit
Change owner to : /* choose the one with your name */
Click OK until you get out.
Now, right-click on the wscript.exe that you just performed the above steps.
Go to Properties-> Security tab -> Edit
Under “Group or User names:” choose the one with your name (as above).
Under “Permission for SYSTEM” – “check the Full Control”
Click OK and then proceed to delete the wscript.exe file.
Continue the above steps for each of the wscript.exe.
----- Part 2 ----
Now you need to remove the virus itself. The file is a VBS called FB_CDBB.tmp.vbs plus 2 other files of similar FB_xxxx.
You need to do the following on the C: drive and all the thumbdrives that you have plugged into the infected PC:
In the CMD window (press windows-key + R, then type CMD in the popup), type this:
attrib -h -s -r /s /d C:*.*
This step is to change the attributes and to make the virus files visible for deletion.

Then, open up your C: drive, and in the search box (top-right corner) type in the “FB_”
This will find all files beginning with FB_
You should find one inside C:...\Microsoft\Windows\Start Menu\Programs\Startup
Delete all instances of this files.
Now do the same thing for all your thumbdrives (change the drive letter to “G” or whatever is your thumbdrive’s)
attrib -h -s -r /s /d G:*.*
Search and delete as above.
Empty you recycle bin.
Reboot.

After reboot, if you get a desktop.ini file that is displayed in notepad. Then the virus is still around. I had this on one of the 2 pcs that was infected.
Then other PC was fine after performing the above steps.
If you get the desktop.ini file popping up upon reboot, do the following:
Press window-key + R;
type in shell:startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
Then Press window-key + R;
type in shell:common startup
if you see the desktop.ini file or the FB_CDBB.tmp.vbs, delete them all
I believe this should work for you as it had worked well for me.
Most of the above info is available on the web but it was not put together into a process that found worked for me.

thanks but i need days to understand this. lol. :s13:
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.
Top