Symptoms(As I experienced. If you have more, please add in the comments section)
1. When I click on the shut down button, it logs off and restarts several times. I had to wait until it comes to the welcome screen, and again click on the shut down button to make it really "shut down"
2.The title bar of Internet Explorer was changed into "LRI internet Explorer"(and also, the home page was changed into about.blank)
3.I could not stop a USB drive in order to remove it safely. It says that another programme is using the USB drive but I was sure that no data transfer between the computer and the USB Drive was happening at that time
4.My Folder settings were changed automatically to not to show hidden files and folders.
How to prevent
This is spread through USB drives. This is how the Autorun window and the files in an affected USB drive would look like. If you get a Window like this, click on take no action and OK ( Pavi, sorry I had to tell everybody that I got it from your Pen)
The best way to prevent is to use the Explorer facility in Windows. As I have done above, open my computer, click on Folders and select the USB Drive you want to open from the folders panel. Note that the Auto Run Window says that there is a Program in the USB DRIVE. In reality, it is the virus program. Now, simply select the autorun.inf file and the SemiAntiVirus.vbs and press Shift+Delete. It will remove the virus from the USB Drive. But, if your machine is infected you have to remove it.
NOTE::If you are really interested in knowing about viruses and how do they work,right click on a file and select Open with notepad. then you will get a text like this which explains how does the virus really infect your system
Removing the virus from the computer
It is a simple process. if you have Process Explorer, open it and look for wscript.exe(In my case, it is wscript.exe because the programme creates an object called Wscript.Shell)
If you don't have it download and install from the above link. It is really worth having it on your computer.
Right click on the process and select properties. In the properties window, you can find the actual place where the virus is saved by looking at the path. in my case it is -->c:windows\system32\semiantivirus.vbs
But if you look for the command line, you can see that the process is executing semiantivirus.vbs, which, in another words, the virus file.
(That is why we cannot stop a USB Drive and the The Title bar of IE says LRI Internet explorer. If you look at the code, you will understand it better.)
First kill the wscript.exe process and then go to c:windows\system32\semiantivirus.vbs
Find the semiantivirus.vbs file and delete it permanently (select the file and press Shift+Delete)
There you go!!
Another interesting thing.
Here I found that the WScript.exe is the version of Windows Script Host that enables you to run scripts from Windows.
How ever, Im pretty sure that I deleted the virus file disguised in the name of the original windows WScript file.
So after all,everything is simple..have fun..love you virus!!
PS: If you know any other ways and if you think my way is wrong, please do not be hesitated to comment. I love learning
PS2. Removing the virus file is not enough to get away with it. After removing the file, please continue reading this post to clean up the after effects of the virus attack
i created a bat file that does all the good stuffs like cleaning the viruses and restoring the windows function smoothly,
ReplyDeletetry this:
www.parikrama.net.np/worm-buster.bat
"The reason is simple. the original WScript.exe stars with capital W and a S but the virus starts with simple w and simple s."
ReplyDeleteCharacter case does not matter in Windows. So you can't say that it is a fake wscript.exe.
The original wscript.exe (version 5.6.0.8820) is 114688 bytes in size. If you are having the same version but in different size, then it could be infected by a virus.