RSS

Sujin Virus & how to get rid of it


Computers around Katmandu are these days infected by a nasty resources eating virus which does nothing but scare people. If your internet explorer address bar shows Sujin.com.np and your home page point you to "sujin.com.np" then your computer is infected by sujin virus. Don't be scared though. Apart from eating your computer's 9mb memory for wscript.exe, changing your ie address bar and home page this virus does not do any harm. I mean no secret is going to be stolen from you.
I advice you not to believe the news report coming out in the paper which claim this virus steals your password and sends it to the virus coders. Being a Computer science student I know a little about codes. I have seen the code of the virus (It does not requires any expertise-believe me) and there is nothing in it which suggest it steals password.
There is no doubt that it's a lie. This guy sujin whoever he is only wants to get some publicity. This virus is written in VBScript so the code can be seen through notepad.

You get to see this messege if you open the file through notepad

('******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them.
'******************************************************************
'******************************************************************
'Program developed by
'Sujin Joshi
'http://Sujin.com.np
'sujinjoshi@gmail.com)

He claims that this is an "antivirus program" is intended to repair your computer. Some of his claims are true as it deletes the "ravmon.exe", "winfile.exe","run.wsh","sxs.exe","killvbs.vbs” which are all known viruses. It resets the registry & taskmanager back to normal. But these are not all the viruses in the world. This is no match for aViruses with polymorphic properties. Remember the "New folder.exe" virus which copies itself to every folder with different folder name. Don't fall for it this is no good of a program

This script makes changes in your registry by attaching itself ("Virusremoval.vbs") to userinit.exe which makes his file execute every time we open computer and log on. More over this script scans for removal storage device like floppy and pen drive every 10 seconds to propagate. If you have a floppy drive you can hear it scanning you floppy drive every 10 seconds with annoying sound.
Also it makes an "autorun.inf" file with following lines in these devices if it finds them inserted
("[autorun]"
"open=wscript.exe VirusRemoval.vbs"
"shell\open=Open"
"shell\open\Command=wscript.exe VirusRemoval.vbs")

This virus eats up your memory resources to spread itself. Blood sucking parasite don't you think? Other thing it does is it Changes your Internet explorers address bar with
–sujin.com.np and home page to sujin.com.np which is not working right now.

Now for the getting rid of the virus part (Manual method)
Apparently mercantile the company where this guy registered his domain name was providing an antidote for this sujin virus. I went their and downloaded the program it did clean my virus but when I checked at the about section of that program I was horrified to find same name "Sujin joshi" as programmer. आफैं बोक्सी आफैं धामी????? (both witch and the witch hunter are the same person?)
It further strengthened my previous hunch that this guy is no more than a script kiddie looking for instant fame and I suspect that the same guy planted the news story into some of the newspapers of Nepal. To them I have to say plz plz plz verify first what ever you are publishing. No false information please.
Would you trust this persons program??? I would not!!!! You should not. Sorry for deviating from the issue but I am angry with these newspapers

To clean this VBScript from your computer(Manually)
1) Open >task manager> look for process "WScript.exe"> click on it and then click end process. If it says warning and bla bla bla ignore it and click yes. Now make sure there is no more "WScript.exe" running in task manager if yes repeat the process above i.e. hitting the end process button.
2) To Open command prompt type "cmd" without quotes at >start >run
3) Type "cd.." without quotes and press enter
4) Repeat 3) this would bring us to the drive c: or d: or whatever yours is
5) Now type cd windows\system32 and hit enter
6) Type "attrib -s -h -r Virusremoval.vbs" without quotes and hit enter
7) Now Type "del Virusremoval.vbs" without quotes and hit enter
8) Now if you have pen drive or floppy inserted don't double click to open it. Instead double click the "My computer" icon when it opens press F4 button from your keyboard now find your pen drive or what ever you have to open and click it.
9) Click tools option of the My computer menu and then click Folder option theiràlook for view tab and clickàclick show hidden files and folders radio button, also uncheck the boxes which says" Hide extensions for known file type" and " Hide protected operating system files (recommended)" ignore that warning which says bla bla bla and press yes while doing it.
10) Find and delete file named " autorun.inf " and " Virusremoval.vbs " if it exists.

11) If it is not working for you plz check no 1) again if there is wscript.exe running in the task manager you have to repeat everything again. So please be sure that wscript.exe is not running.

Update:
And lastly
in order to fix up the registry alteration done by this sujin virus please download this VBScript file. Here and double click. This particular Script is also useful if you are infected by other viruses other than sujin
(ask me if you encounter problem) i am always ready to answer.
:Update:
goto this link to get anti sujin tool 2.1
Here
  1. Anonymous

    December 23, 2007 at 9:24 PM

    THANK YOU VERY MUCH MR.MANGALMAN..U REALLY R A GENIOUSS..U HELPED ME GET RID OF THAT CRAPY VIRUS SUJIN...TAKE CARE N GOD BLESS...

    MADHUSUDAN BANERJEE

  1. Sheetal Thapaliya

    December 23, 2007 at 11:29 PM

    yeah.. aafai jhankri aafai boksi.. i think mercontile itself is responisble for spreading this so called virus.

  1. MangalMan

    December 24, 2007 at 1:18 PM

    Thanks for the encouraging words Madhusudan jee.Your kind word works provides me the fuel.

  1. Anonymous

    December 25, 2007 at 7:05 PM

    Hey MangalMan...
    Thanx for d solution!! Really awesum. But therz a small problem bro....when i switch on my computer....i get d msg..."Can not find Virusremoval.vbs"...wht should i do nw?? Plz help.

  1. MangalMan

    December 26, 2007 at 9:48 AM

    @ indian
    This sujin thing associates itself with your "userinit.exe" so even if you deleted virusremoval.vbs frm your computer the association it has in registry is still present hence you get the error you are getting. In order to solve this problem i suggest
    you to go here read and download and run it.Don't mess with your registry unless you know what you are doing.

  1. Mary.

    December 27, 2007 at 9:44 AM

    Thank you so much for the information. This is really helpful.

  1. Anonymous

    January 4, 2008 at 12:33 PM

    Its such a crappy piece of code,
    this person Sujin Joshi is obviously looking for some publicity with his very amateur coding skills for which I'd give him a grade of ZERO. Such people should understand that programming is for helping people, its for building enterprises level applications, not for messing around with other's computer settings with their useless piece of code, which even an 8yr old could have written.

    So don't be proud to write this crap and seeing your name all around web, getting known as the virus itself, while every person with even a basic IT knowledge knows its not even a virus but some childish code and next time find something better to code.

    -A pissed off programmer!

  1. Anonymous

    January 16, 2008 at 3:16 AM

    Thank you very much! Keep up the good work :-)

  1. Anonymous

    January 30, 2008 at 12:26 AM

    I have a small problem. Whenever I attach my pen drive, and try to open it, i get the following message:
    Can not find script file "F:\virusremoval.vbs"
    I have to open the drive using explorer then.
    Can you tell me why is this happening.

  1. MangalMan

    January 30, 2008 at 11:58 PM

    @ anon well what you have is your pen drive has no virusremoval.vbs file in it but it has the autorun.inf file in it.
    follow the steps
    1)open the cmd from start->run by typing it
    2)Now go to your drive by typing f:
    in cmd prompt.
    3)type attrib -s -h -r autorun.inf
    4)then type del autorun.inf
    your problem will be solved.

  1. Anonymous

    February 20, 2008 at 8:55 AM

    How to delete virusremoval.vbs in pendrive?

  1. MangalMan

    February 21, 2008 at 3:10 PM

    @anon
    open your notepad type these 2 lines
    del f:\autorun.* /f /q /as
    del f:\virusremoval.vbs /f /q /as
    save it as run.bat then double click.
    change the drive letter to whatever your pendrive's letter is.
    hope this helps

  1. Anonymous

    February 21, 2008 at 4:37 PM

    I have followed the steps as mentioned without getting any errors, , but I am still getting the sujin error.

    Wscript is also not there in the processes. Please advise.

  1. Anonymous

    February 21, 2008 at 4:38 PM

    I have followed the steps mentioned without getting errors at any step, I am still getting the sujin message again.

    Wscript is not there in the processes.
    Please advise.

  1. MangalMan

    February 22, 2008 at 11:20 AM

    @anon please download the antisujin tool and run it that will solve your problem i am sure.

  1. Manoj Patil

    February 26, 2008 at 9:06 PM

    I too had got a error message "can not find script file "c\windows\system32\virusremoval.vbs" whenever I start my PC and enter my account. I gone through this blog and done some registry edit. Open Run, type "regedit" and find "VirusRemoval"....then I right clicked the result and deleted it....but then also I got the same message at start. So I opened the registry and found "Autorun.inf", it was at the same place where I found "VirusRemoval"....so I deleted that too. But please do this on your own risk...coz after deletion I was hanged 2 times when I logged in my account. But 3rd time I logged in my other user account, it got ok, not sure it is necessary to happen...but I got that error message stopped. Know I have no such message at startup..:)

  1. Anonymous

    April 2, 2008 at 6:53 PM

    Thanks.....By ur advice i got rid of that...

  1. Anonymous

    April 14, 2008 at 1:59 PM

    I'm writing this from Spore. I think this Sujin virus was widely spreat to this region too. For no reason my PC got infected. Thanks for your anti virus steps. I got rid of this now. For so many days, I saw my PC running without Sujin. Thanks again.

  1. Anonymous

    April 14, 2008 at 2:02 PM

    I am writing from Spore. This sujin virus widely spread till this region too. For no reason, my PC was infected by this. For the first time, I saw my PC start-up without Sujin. Thanks for your initiatives.

  1. Anonymous

    April 23, 2008 at 2:56 PM

    hi genius
    even im facing the same problem in ma PC
    I tried the steps u gave but i get a error when i type "cd windows\system32"
    it says 'This system cannot find path specified'
    what can i do now?
    please reply to me on my Email ID at:
    mak_m_a_k@yahoo.com
    Eagerly waiting for ur reply

  1. MangalMan

    April 24, 2008 at 4:43 PM

    @anon
    your system32 does not exists???!!!
    i think you use linux and are trying to get me ha ha ha nice try man.

  1. Inspirations

    May 7, 2008 at 9:57 AM

    thank you for the guidance. It worked for me.
    But please also tell me how to remove the hyphen after the title (-)
    thanks so much. Please keep up the good work

  1. Unknown

    May 7, 2008 at 2:18 PM

    he might have windows in another drive and he is searching it in c drive most probably

  1. MangalMan

    May 8, 2008 at 12:26 PM

    @inspirations i have just made a post
    on how to solve your problem see it
    here

  1. MangalMan

    May 10, 2008 at 4:38 PM

    i just removed a comment by some one who had surfers to pointed to some really nasty virus.I just followed the link downloaded the file launched it. It was a virus

    Applib149410n.exe
    csrss.exe
    inetinfo.exe
    lsass.exe
    services.exe
    smss.exe
    svchost.exe
    Empty.pif
    KesenjanganSosial.exe
    eksplorasi.exe
    RakyatKelaparan.exe
    bronstab.exe

    these are the things it tried to install in my computer. Disguises itself as safyway.blogspot.exe remover don't fall for it.

  1. MangalMan

    May 10, 2008 at 4:44 PM

    And by the way safy.blogspot.com ,shaym.com.np and
    sujin.com.np are the same scripts that is virusremoval.vbs so this cure works for all.

  1. Anonymous

    June 5, 2008 at 4:54 PM

    Hi Mr. Mangalman... Thnx for all the info and all the wrk... My machine is also infected by safyway.blogspot... But thereis yet another problem... There is something else also which doesnot let me open anything related to yahoo... be it messsenger, or the yahoo website... It sjust closes the application which is using yahoo, and gives the error by a new message box that 'Yahoo has been banned'.. the message window has a name 'yahoo services'.. When i try to open task manager it tells me that 'task manager has been disabled by your administrator'... Need your help pls as its on my laptop and all my wrk is on it... Cant format... pls reply...
    Mitesh.

  1. MangalMan

    June 7, 2008 at 12:16 AM

    @anon download hijackthis run it and send me the log i will help.

  1. Ravi Shankar

    June 8, 2008 at 12:35 PM

    Dear MangalMan,
    U are really a genius... I was struggling to get rid of this virus from long time, but only now i could get through.......
    these day my pc attacked with a new virus pls help me out....
    when ever iam trying to open orkut.com a popup appears on the screen saying "Orkut is banned you ...., The administrators didnt write this program guess who did?? ..MUHAHAHA..." and after explorer window gets closed.. PLEASE HELP ME OUT.

  1. NMR

    August 17, 2008 at 3:05 AM

    hi friend
    my name is madhav iam from andhra i had been frustrated with script problem of virus removal from so many days in my acer laptop internet explorer i had tried so many hooks but u know ur magic has just worked on my laptop and it has cleared the cannot find script file of virus.... and thats it my internet explorer is back with a new home page of my choice u had really a good job dude thanks and thanks thanks a lot ur solution has helped me a lot thanks once again

  1. NMR

    August 17, 2008 at 3:09 AM

    awesome ur solution has just resolved my frustration and ease me in accessing my laptop

  1. Anonymous

    August 22, 2008 at 5:26 AM

    I'm looking for the WScript.exe but I'm not seeing it when I open Task Manager, what the problem could possibly be?

  1. Anonymous

    November 6, 2008 at 8:54 PM

    thanksssssssss you are really a wise man on computer. I m too much helpful, just solve our problems this way......

  1. Anonymous

    December 28, 2008 at 12:02 PM

    Mr Mangalman, I have a issue in my PC . There is something which doesnot let me open anything related to yahoo... be it messsenger, or the yahoo website... It sjust closes the application which is using yahoo, and gives the error by a new message box that 'Yahoo has been banned'.. the message window has a name 'yahoo services'.. When i try to open task manager it tells me that 'task manager has been disabled by your administrator'... Need your help ...

    I saw somebody had same problem an you asked for log . Did you get solution for that ?

    Thanks in advance for your help

  1. firozkhan082000

    February 12, 2009 at 8:22 AM

    hi, Mr. Mangal Man

    I m Firoz Khan from Hyderabad
    One Virus its came in my system
    http://sujin.com.np/

    So how to remove dat virus plz let know.

    Thanks
    Firoz Khan
    +91 9908587315

  1. Jasmine Lily Muhamad

    June 25, 2010 at 6:03 PM

    Mr.Mangalman.

    Thank you very much for your help removing the SUJIN virus.

    Jasmine Lily Muhamad
    Malaysia

Post a Comment

Powered by Blogger.