Wednesday, March 26, 2008

VirusRemoval.vbs Windows Script Host

Atlast! Got rid of that damn warning.

msconfig did not show up this thing. No amount of standard registry scans helped me find this. I looked at the standard Run, RunOnce & Shell hives under HKLM/Software/Microsoft/Windows/CurrentVersion/. Just no use. No entries that were tell-tale traces of this VirusRemoval.vbs.

But done at last! Took some patient Google-searching though. Some kind soul had provided the entire code of the VirusRemoval.vbs script file at:
http://www.thinkdigit.com/forum/showthread.php?t=71097. Looking at the code was enough to tell me where the virus had made entries in the registry.

Goto: HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon. Under that, you will find a key called Userinit. Double click that key. A dialog box will open up with a string parameter. Edit that to remove just the offending entry. Warning: If you are not sure what the offending entry is, DONOT modify the key. Please post back the contents of the key here, and we could work out something!

After cleaning up my registry, the value of Userinit for me is: C:\WINDOWS\system32\userinit.exe

Good Luck!


horroddommar said...

Hi, I have been getting the windows script 'virusremoval' message you have referred to above. Not being a tech guy I have no idea how to go about the procedure you outlined to resolve the problem. Is there no other easier solution for someone like me?

Sri Charan said...

Hi. The solution requires you to edit the registry. I will try and create a script that will help you clean up the registry automatically. I will post back asap.