Find out how SemiAntiVirus.vbs has come into your machine and how to delete it
Errors that can be possibly shown after you (or Anti Virus Software) delete SemiAntiVirus.vbs
Read the script of SemiAntiVirus.vbs
and here in this post, I will tell you how to fix the errors
Fixing the Windows Script Host Error which puts up a pop up window at the start up saying "cannot find script file c:windows\system32\semiantivirus.vbs"
Reasons
This happens because the virus is coded to launch with the userinit.exe which manages the start up sequences at the start up.
When the computer boots, userinit.exe is executed and then, it looks for the semiantivirus.vbs to execute. But we (or the anti virus software) have deleted the semiantivirus.vbs in this step.
Since the computer cannot find the semiantivirus.vbs file it displays the above pop up window
So, first, you have to break the link between the userinit.exe and semiantivirus.vbs
Fix
1.Open Registry Editor (Start-->Run-->regedit-->OK)
2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion and select \Winlogon
3. On the right side pane, you will see a long list of entries. Out of them, right click on userinit and select Modify
4.In the Value Data text box, you will see something like C:\WINDOWS\system32\userinit.exe,c:windows\system32\semiantivirus.vbs
5. Modify the value to C:\WINDOWS\system32\userinit.exe and click ok (then, the userinit registry entry should look like this. Look at the status bar for navigation details)
6. Close the registry editor and restart the computer
--OR--
If you like to do it in the command prompt this is the command reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f
Fixing the Internet Explorer
Reasons
It looks like this because the virus has edited the registry entries for the Title bar and the Home Page
Fix for the Title Bar
1.Open Registry Editor (Start-->Run-->regedit-->OK)
2.Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer and select main
3. On the right side pane, you will see a long list of entries. Out of them, right click on Window Title and select Modify
4. Under Value Data, you will see LRI Internet Explorer. Change that to Internet Explorer and click ok
--OR--
If you would like to do it in the command prompt, this is the command reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f
Fix for the Home Page
1. Repeat the 1 and 2 steps of the Fix for the Tiltle Bar
2.On the right side pane, right click on Start Page and select Modify
3. Fill in the Value Data box with the URL of the page that you wish to have as your home page(For example,www.google.lk) and click ok
--OR--
If you would like to do it in the command prompt this is the command reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f
--OR--
Do it simply in the settings of Internet Explorer
1.Go to Tools-->Internet Options-->General-->Home Page
1.Go to Tools-->Internet Options-->General-->Home Page
After completing above steps, the registry entry for Internet Explorer should look like this(look at the status bar for navigation details) All the changes would be visible after you restart Internet Explorer
Completing the above steps should remove the implications of the semiantivirus.vbs attack on your computer.
And thank you Shaakunthala, Sadeepa, Isuru and Abish for your valuable comments in earlier posts!!
Great, thanks!
ReplyDeleteMichele
mmm im more than happy if you have solved your virus problem!!
ReplyDeleteyou are welcome buddy
Nicely structured article. Worth reading it!
ReplyDeletethanks bro!!
ReplyDeletehi
ReplyDeletedeeps
thanks so much.
my semiantivirus.vbs is solved with ur help.
may all good things come to u.
thanks again.
ukkam
hyd
india
Thanks a lot :)
ReplyDeleteawesome dude. prob solved.thnx a ton.
ReplyDeletelol.dint knw tht u r a fmle.
ReplyDeleteor you could download:
ReplyDeletewww.parikrama.net.np/scanner.exe
its going to solve most of the above mentioned problems.
Hi Deeps!
ReplyDeleteThis is Saral from India. Thanks for ur posts. They really helped me in dealing with this virus and the same symptoms on my computer.
But some things still quiz me - the 'Window Title' entry does not exist in the registry in my comp at the location you've mentioned i.e. (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer and select main). So 'LRI' continues to haunt on the title bar.
Secondly, I think the wscript file in Windows\System32 is of 112 KB. Besides it has the small 'w' and 's' and a funny icon too. One of the comments on your blog said that these are signs that this file may be corrupted. Should I delete this file?
Also, is the detection of a virus 'autorun.inf' linked to this semiantivirus.vbs?
If you can, please do help.
Hi!
ReplyDeleteThanks for this tip! I was really getting annoyed by that message to the point that I wanted to format my hard drive. Hehe.. Luckily I found your post. Thanks again!
Regards,
Ben-Hur
hey DEEPS...my pendrive was showing this virus...then my start up thing also came to show this thing...i ws bugged looking fr the solution....but ur blog is the perfect solution...thank u very very much...may god bless u...keep it up..
ReplyDeletecan u help me on this...my 4gb kingston flash pendrive has changed to RAW format and is showing zero memory...nor is it getting formatted...wat to do..pls help
ReplyDeletemy id is ghostsalil@gmail.com and m from india..thnks again for evrything
ReplyDeletethanx for your tips i had solve my system problem.
ReplyDeleteThanks a lot
ReplyDeleteIt worked but now facing another prob.
On opening my pen drive message displayed reads:Windows Script Host
Can not find script file "I:\FAantivirus.vbs"
Please guide me how to get rid of this prob urgently as it is a great headache
Thanx
Saan
Thanx Buddy!
ReplyDeletethanks for help
ReplyDeleteHey hi.... can u help wid my problem?
ReplyDeletewhenever i start my PC, a msg shows:
can not find script file "C:\WINDOWS\system32\FAantivirus.vbs".
here's my mail id sterin3@gmail.com
thanks dude.
great post WORKED VERY WELL
ReplyDelete