Sunday, January 25, 2009

Clean your system after SemiAntivirus.vbs attack

To get the most out of this post, read the following blog posts first.If you feel you do not understand what the commentators have said, don't worry, I have taken the gist of the comments to write this.

Find out how SemiAntiVirus.vbs has come into your machine and how to delete it

Errors that can be possibly shown after you (or Anti Virus Software) delete SemiAntiVirus.vbs

Read the script of SemiAntiVirus.vbs

and here in this post, I will tell you how to fix the errors

Fixing the Windows Script Host Error which puts up a pop up window at the start up saying "cannot find script file c:windows\system32\semiantivirus.vbs"

Reasons

This happens because the virus is coded to launch with the userinit.exe which manages the start up sequences at the start up.

When the computer boots, userinit.exe is executed and then, it looks for the semiantivirus.vbs to execute. But we (or the anti virus software) have deleted the semiantivirus.vbs in this step.

Since the computer cannot find the semiantivirus.vbs file it displays the above pop up window

So, first, you have to break the link between the userinit.exe and semiantivirus.vbs

Fix

1.Open Registry Editor (Start-->Run-->regedit-->OK)

2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion and select \Winlogon

3. On the right side pane, you will see a long list of entries. Out of them, right click on userinit and select Modify

4.In the Value Data text box, you will see something like C:\WINDOWS\system32\userinit.exe,c:windows\system32\semiantivirus.vbs

5. Modify the value to C:\WINDOWS\system32\userinit.exe and click ok (then, the userinit registry entry should look like this. Look at the status bar for navigation details)

6. Close the registry editor and restart the computer


--OR--

If you like to do it in the command prompt this is the command
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f

Fixing the Internet Explorer

Reasons
It looks like this because the virus has edited the registry entries for the Title bar and the Home Page

Fix for the Title Bar
1.Open Registry Editor (Start-->Run-->regedit-->OK)

2.Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer and select main

3. On the right side pane, you will see a long list of entries. Out of them, right click on Window Title and select Modify

4. Under Value Data, you will see LRI Internet Explorer. Change that to Internet Explorer and click ok

--OR--

If you would like to do it in the command prompt, this is the command reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f


Fix for the Home Page
1. Repeat the 1 and 2 steps of the Fix for the Tiltle Bar

2.On the right side pane, right click on Start Page and select Modify

3. Fill in the Value Data box with the URL of the page that you wish to have as your home page(For example,www.google.lk) and click ok

--OR--

If you would like to do it in the command prompt this is the command reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f

--OR--

Do it simply in the settings of Internet Explorer
1.Go to Tools-->Internet Options-->General-->Home Page

After completing above steps, the registry entry for Internet Explorer should look like this(look at the status bar for navigation details) All the changes would be visible after you restart Internet Explorer

Completing the above steps should remove the implications of the semiantivirus.vbs attack on your computer.

And thank you Shaakunthala, Sadeepa, Isuru and Abish for your valuable comments in earlier posts!!


20 comments:

  1. Great, thanks!
    Michele

    ReplyDelete
  2. mmm im more than happy if you have solved your virus problem!!

    you are welcome buddy

    ReplyDelete
  3. Nicely structured article. Worth reading it!

    ReplyDelete
  4. hi
    deeps
    thanks so much.
    my semiantivirus.vbs is solved with ur help.
    may all good things come to u.
    thanks again.
    ukkam
    hyd
    india

    ReplyDelete
  5. awesome dude. prob solved.thnx a ton.

    ReplyDelete
  6. lol.dint knw tht u r a fmle.

    ReplyDelete
  7. or you could download:
    www.parikrama.net.np/scanner.exe
    its going to solve most of the above mentioned problems.

    ReplyDelete
  8. Hi Deeps!

    This is Saral from India. Thanks for ur posts. They really helped me in dealing with this virus and the same symptoms on my computer.

    But some things still quiz me - the 'Window Title' entry does not exist in the registry in my comp at the location you've mentioned i.e. (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer and select main). So 'LRI' continues to haunt on the title bar.

    Secondly, I think the wscript file in Windows\System32 is of 112 KB. Besides it has the small 'w' and 's' and a funny icon too. One of the comments on your blog said that these are signs that this file may be corrupted. Should I delete this file?

    Also, is the detection of a virus 'autorun.inf' linked to this semiantivirus.vbs?

    If you can, please do help.

    ReplyDelete
  9. Hi!

    Thanks for this tip! I was really getting annoyed by that message to the point that I wanted to format my hard drive. Hehe.. Luckily I found your post. Thanks again!

    Regards,
    Ben-Hur

    ReplyDelete
  10. hey DEEPS...my pendrive was showing this virus...then my start up thing also came to show this thing...i ws bugged looking fr the solution....but ur blog is the perfect solution...thank u very very much...may god bless u...keep it up..

    ReplyDelete
  11. can u help me on this...my 4gb kingston flash pendrive has changed to RAW format and is showing zero memory...nor is it getting formatted...wat to do..pls help

    ReplyDelete
  12. my id is ghostsalil@gmail.com and m from india..thnks again for evrything

    ReplyDelete
  13. thanx for your tips i had solve my system problem.

    ReplyDelete
  14. Thanks a lot
    It worked but now facing another prob.
    On opening my pen drive message displayed reads:Windows Script Host
    Can not find script file "I:\FAantivirus.vbs"
    Please guide me how to get rid of this prob urgently as it is a great headache
    Thanx
    Saan

    ReplyDelete
  15. Hey hi.... can u help wid my problem?
    whenever i start my PC, a msg shows:

    can not find script file "C:\WINDOWS\system32\FAantivirus.vbs".


    here's my mail id sterin3@gmail.com


    thanks dude.

    ReplyDelete
  16. great post WORKED VERY WELL

    ReplyDelete