virusremoval.vbs

[magneticme200]

i hv avast av...yestrday i scannd my pc..
it found a virus in c:\windows\sys..\virusremoval.vbs
it could nt repair the same...so i deleted it...
now wenevr i start my comp..an error comes
"could nt find the script c:.,,,,\virusremoval.vbs"
i dnt want to hv this startup msg...and also wanna knw wat is it related to??
y is it at the startup.???

[ravi_9793]

create a new blank file in notepad.......... rename it as "virusremoval.vbs"
and save in same folder.

[magneticme200]

Quote:

Originally Posted by ravi_9793

create a new blank file in notepad.......... rename it as "virusremoval.vbs"
and save in same folder.

is it gonna surely help??
bt i want to remove this process/service frm startup?...!!

[casanova]

This would have created an entry in your startup. Download some startup manager. TuneUp Utilities 2008 has a nice startup manager. Disable the startup key for virusremoval.vbs from the TuneUp's start up manager.

TO remove this first of all look into task manager and see it WSCRIPT process is running or not. If it running then end the process. Then go to windows/ system32 directory and delete the virusremoval.vbs . Then open msconfig and delete the startup key from there. Sometime there is a blank startup item with no name of process. Delete those entries and you are done...

[blueshift]

Goto Registry Editor by typing regedit in Run command.

Browse to these registry keys:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane, look for the values of [b]Userinit[/b and Shell keys. It must have values C:\WINDOWS\system32\userinit.exe and Explorer.exe respectively. Anything more than that can be safely deleted.
Like suppose possibly if the value is 'C:\WINDOWS\system32\userinit.exe, C:\Windows\System32\VirusRemoval.vbs' then double-click the key to edit and delete C:\Windows\System32\VirusRemoval.vbs

Also for Startup entries, you can check these keys:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

[english_sos]

it is infact a very nagging .vbs script virus, better known as the sujin virus. stop doing all the registry hacking yourself just download an antisujin kit available from this link
http://back2mangalman.blogspot.com/2...ion-10-by.html
i faced the same problem and trust me it worked like charm.
regards
***things are easy if u know the solution.

english_sos

[Pathik]

Actually it is not exactly a virus. It is a very useful VBscript. You can eit it and use it to get rid of those pesky andu-pandu USB viruses

[english_sos]

Sorry Pathik If Kaspersky Says It Is A Virus, It Is. And Please Follow The Link You Will Find A Mine Of Information. Good Mine Yaar, Not Those Blasted Type.

[blueshift]

I too don't think that it actually is a virus after reading the code. It just changes the IE title name and the startup page. It doesn't do any destruction like the trojans do.

[magneticme200]

yes its true...it has chngd my IE homepage frm default to http://bro.gov.in/
and i dnt knw smehw i cnt chnge it evn..!!

[Pathik]

Edit the virusremoval.vbs file and change all instances of that URL with about:blank

Or change these two keys:

Code:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Window Title

[BiggyIT]

I think you will find some solution in this link
http://www.meganetscan.com/Tips&Fixes.html

[nirjhar]

Use anivir
is the best antivirus
specilly for autorun.inf
And pendrive virus

[prabirjit]

I faced the same 'bro.gov.in' problem- no well-known anti-virus programs could detect or block its infection. Finally Malwarebytes' Anti-Malware program removed the virus -here is the report for experts to see:
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

But the trace remained in the internet explorer - I just tackled that, thanks to digit forum suggestion to use AntiSujin.