Home » Post Item » "sujin.com.np" - rough analysis and solution

"sujin.com.np" - rough analysis and solution

Tuesday, December 4, 2007

I always safeguard my flash drive from malwares that can be caught from using public computers. Whenever I insert it into my own computer, I always make sure that the autorun.inf of my flash drive, is "clean". Yep, I always set my autorun.inf file to look like this

[autorun]
open=cmd.exe
shell\open=Open
shell\open\Command=cmd.exe

So say when I insert my flash drive to a computer with autorun on and if the MS-DOS console comes out, I'm sure that my Flash Drive is clean.

And today, I noticed something weird happening on our e-portfolio computers. When Internet Explorer is up, it redirects to a blank "sujin.com.np". I smelled something fishy going on and I thought maybe someone did some fishy thing. I just thought that maybe the IT dept or the lab technicians will soon fix the start page or whatever. I'm too paranoid when it comes to pc stuffs. I don't want some malware to go to my workstation and do some unscrupulous things. When I got home and checked my flashdrive for any signs of "crap", I noticed immediately that the autorun.inf of my flash drive is modified to this.

[autorun]
open=wscript.exe VirusRemoval.vbs
shell\open=Open
shell\open\Command=wscript.exe VirusRemoval.vbs

 Honeypot active!

So I checked the root directory of my flashdrive and got VirusRemoval.vbs. I examined the file and this is what I saw

 

 

So some guy programmed a Visual Basic script file that was stealthly installed on my flash drive. I don't know but even it does "virus removal" as its name says, but if its installed on my stuffs without letting me know, it will surely piss me off. With some DOS commands (dir /a and attrib -s -h), I was able to load the virusremoval.vbs to notepad and examine the file.

 I found out that the VBScript

1.) Modifies registry settings to do tasks such as Disabling the Access To Taskbar, Setting The Start Page of Internet Explorer to "sujin.com.np" and modifies the UserInit settings to execute Virusremoval.vbs

2.) Stores a copy of itself to all Drives in root directory. 

3.) Removes all vbs files in Windows directory and Root directory and all inf files in root directories of drives.

4.) Removes ravmon.exe,  sxs.exe, winfile.exe and run.wsh.(Maybe these are the files of some malware that its author wants to remove)

5.) Stores VirusRemoval.vbs in root and adding the autorun.inf to make sure that it autoexecutes if it's installed in a removable disk (i.e. flashdrives).

6.) And its done.

 Well, it's basically a harmless VBScript file. But thing is that it WAS installed on my flashdrive without my permission. And for those who are not so aware about computers and stuff, you know, misconceptions and fear can arise when one day, their browsers direct to some "http://sujin.com.np".

 Annoying..

Update!!

Solution :

http://boyutal.i.ph/blogs/boyutal/2007/12/05/sujincomnp-removal-with-ultimate-flash-drive-protection-tool-v10/

 

 



Share and Enjoy:
  • del.icio.us
  • blinkbits
  • BlinkList
  • blogmarks
  • BlogMemes
  • BlogMemes Cn
  • BlogMemes Fr
  • BlogMemes Jp
  • BlogMemes Sp
  • blogtercimlap
  • Blue Dot
  • Book.mark.hu
  • Bumpzee
  • co.mments
  • connotea
  • De.lirio.us
  • Digg
  • DotNetKicks
  • DZone
  • Fark
  • feedmelinks
  • Fleck
  • Furl
  • Gwar
  • Haohao
  • Hemidemi
  • IndiaGram
  • IndianPad
  • Internetmedia
  • kick.ie
  • LinkaGoGo
  • Linkter
  • Ma.gnolia
  • MisterWong
  • MyShare
  • Netscape
  • Netvouz
  • NewsVine
  • PlugIM
  • PopCurrent
  • ppnow
  • RawSugar
  • Rec6
  • Reddit
  • Scoopeo
  • scuttle
  • Shadows
  • Simpy
  • Slashdot
  • Smarking
  • SphereIt
  • Spurl
  • StumbleUpon
  • Taggly
  • TailRank
  • Technorati
  • ThisNext
  • Webride
  • Wists
  • Wykop
  • YahooMyWeb

Posted by boyutal at 10:42 AM | permalink

Previous Comments

How do you remove it, any suggestions?

Posted by Mike at December 4, 2007, 10:43 pm

Hi. I’ll post later a script that will remove it and restore your original registry settings. Stay tuned.

Posted by boyutal at December 5, 2007, 1:35 am

Hi there. The removal tool is now available.

Posted by boyutal at December 5, 2007, 6:49 am

hi mine’s affected too…. telme about ur removal tool….its leaving some msg on my status bar and trying to send some hinhem stuff to my frnds….sad man!!!!

Posted by roo at December 9, 2007, 7:12 pm

afsdfasdfasdfaasdfsdasdfsd

Posted by Sneha at December 9, 2007, 10:18 pm

Removal tool is a Javascript file that removes the virus from your computer and fixes the registry settings that were modified by the virus.

Posted by boyutal at December 9, 2007, 11:37 pm

The solution worked very well for me… Thanks.

Posted by Sumit at December 11, 2007, 10:22 pm

http://************.****/
I think this will solve your problem

Posted by thangkura at December 12, 2007, 4:10 am

thank you for help

Posted by mohammed at December 14, 2007, 4:55 am

thank you dear

Posted by nasir at December 17, 2007, 3:36 am

exactly same problem with all computers in our Graduate Library, I either the lab assistants are unable to solve the problem
i will check the solution anyways

Posted by Seid Muhie Yimam at December 29, 2007, 7:19 pm

yeah, it works out.
thanks very much

Posted by Seid Muhie Yimam at December 29, 2007, 7:33 pm

did someone say hav tool 2 remove the virusremoval.vbs file?? can u give it 2 me thank you

Posted by nsw at December 29, 2007, 10:36 pm

Hi, nsw. Just click the link at the bottom of the post and it will direct you to the removal tool. :D

Posted by boyutal at December 30, 2007, 12:10 am

Seid, you’re welcome and feel free to spread the word. :D

Posted by boyutal at December 30, 2007, 1:48 am

hey i had the same thing and i deleted it. THen when i restarted my computer it popped “virusremoval.vbs” was not found. SO i went to the registry and deleted every values having the name. Now i have a problem. I cannot log in to the computer. Computer loads and when i log in it shuts down.
Please mail if you have a solution visitruchan@hotmail.com

Posted by Ruchan at January 2, 2008, 8:09 pm

Hi Ruchan.

Looks like you deleted these registry entry keys

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

All you have to do is to modify the registry while on
“safe mode” or in Recovery Console (I’m sure you can find howtos on Google) to

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

value=”Explorer.exe”

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

value=”(drive):\\Windows\System32\userinit.exe,”

That should fix the problem. :D

Posted by boyutal at January 2, 2008, 11:04 pm

What’s up again, Ruchan. So I found this solution from Yahoo Answers. You should try it.

1.) Get the original bootable OS CD and use it to boot your PC.

2.) Setup will start then choose Recovery/Repair Option.

From here

http://nz.answers.yahoo.com/question/index?qid=20080101101726AAos3PL

Posted by boyutal at January 3, 2008, 7:49 am

yes there is a repair button.
Then i got into it and i got into the c:\windows on cmd.
what to do there???
can i open registry through it ??

Thank you for your reply

Posted by Ruchan at January 3, 2008, 5:35 pm

Hi Ruchan,

Did you make a recent backup of your registry?

Posted by boyutal at January 3, 2008, 9:14 pm

That’s the recovery console. If you have the original bootable CD, it will be easier. All you have to do is insert OS CD and Repair to correct registry errors.

Next time, do registry back ups :D

Posted by boyutal at January 4, 2008, 7:13 am

hey i got it i just did the repair and all the stuffs are the same it is like they were.(good things) But my windows updates are gone and the updated IE7 and wmp11 is gone. But not a big problem.

Yes i still have the sujin.com.np on my homepage(i removed it) and also on the title bar.(i removed it too)

IS there any other place it is still residing any thing else??

Thank you

Posted by Ruchan at January 4, 2008, 4:20 pm

Yep, that’s the downside of deleting critical registry entry. There’s another solution and all your previous installs will be preserved provided that you did a very recent registry backup of your system.

But hey, better to have a functional computer with all your data preserved, right? :D . Just do reinstalls and remember to always have a registry backup in your system once a while (everyweek will be better). just in case.

And no, once you got virusremoval.vbs out of your system, it’s done. Just install a good anti-virus software.

Regards,

Posted by boyutal at January 5, 2008, 1:56 am

thanks

Posted by ruchan at January 5, 2008, 8:43 pm

thank u very much………..i success fully removed it…………….

Posted by santosh at January 6, 2008, 3:50 am

hollaa! worked for me too mmmuuaaaaaaaaaahhhhhhhh, i am not a GAY; Not you buddy, to the programme.

Posted by Arpit at February 7, 2008, 10:24 am

i want to remove www.sujin.com.np viruus because it disterv my document.

Posted by bhawani at March 1, 2008, 3:10 am

i have alot of file corrupted by sujin.com so i want to remove my computer completely

Posted by bhawani at March 1, 2008, 3:13 am

how can i remove it from my pc.

Posted by tamx at March 5, 2008, 5:28 pm

I’ve found a patch to remove it in this link : http://www.net-studio.org/application/safyway-blogspot.php

Posted by dave754 at March 12, 2008, 10:46 pm

can u please tell me the exact procedure to get rid of virusremoval.vbs.When ever i connect any pendrive to my PC and explore it then it shows that .vbs file.

Posted by Rahul at March 25, 2008, 5:52 pm

how can i remove sujin.com as home page

Posted by abhishek at April 2, 2008, 2:09 pm

how can i remove sujin.com as home page

Anybody tell me plz……………

Posted by Samrat at April 5, 2008, 6:11 pm

i want to remove www.sujin.com.np viruus because it disterv my document.

Posted by Bastab at March 1, 2008, 3:10 am

Posted by Bastab Gogoi at May 29, 2008, 8:47 pm

Add a comment