|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
12-26-2008
| #1 (permalink) |
| | Need a vbscript to fix virusguard.vbs effecting ie Hi Guys, This is the first time i login to this vbscript forum. I need help really. Recently I found a name (Dipak Bhattrai) on internet explorer title bar insted of Windows Internet Explorer. I read some articles and found that all this is because of a culprit VirusGuard.vbs file located at "c:\windows\system32\" It is hidden. I also found the solution to getrid of this. The steps to follow are 1. End task the process called wscript.exe through taskmanager 2. Unhide all the hidden files and folders including the protected operating files 3. Go to c:\windows\system32 and find VirusGuard.vbs and delete that file. 4. Editing the following registry entry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title again as Windows Internet Explorer After doing all the above steps we will have the default title as Windows Internet Explorer. But still there is another entry in registry. The effect is everytime we start windows an error message will come like unable to locate c:\windows\system32\VirusGuard.vbs file. This is because of there is the following added entry in "userinit" the location of the entry is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon the added entry is something like C:\WINDOWS\system32\userinit.exe,c:\windows\system32\wscript.exe,c:\windows\system32\VirusGuard.vbs So we have to make it as the default entry as C:\WINDOWS\system32\userinit.exe Thats all we have to do. I am doing all this manually every time when i found this problem in the systems. I know that it is also possible through vbscript. If there is a single vbscript to do all this it will be very helpful for me. So Please help me in fixing this issue through a vbscript. Thanks in advance.... |
My System Specs |
|
12-26-2008
| #2 (permalink) |
| | Re: Need a vbscript to fix virusguard.vbs effecting ie "Want some help" <Wantsomehelp@xxxxxx> wrote in message news:5E720E4E-CB9B-4BDE-9C44-3BC16C3AAA28@xxxxxx Quote: > Hi Guys, > This is the first time i login to this vbscript forum. I need help really. > Recently I found a name (Dipak Bhattrai) on internet explorer title bar > insted of Windows Internet Explorer. I read some articles and found that > all > this is because of a culprit VirusGuard.vbs file located at > "c:\windows\system32\" It is hidden. > I also found the solution to getrid of this. The steps to follow are > 1. End task the process called wscript.exe through taskmanager > 2. Unhide all the hidden files and folders including the protected > operating > files > 3. Go to c:\windows\system32 and find VirusGuard.vbs and delete that file. > 4. Editing the following registry entry > HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title > again as Windows Internet Explorer > > After doing all the above steps we will have the default title as Windows > Internet Explorer. > > But still there is another entry in registry. > The effect is everytime we start windows an error message will come like > unable to locate c:\windows\system32\VirusGuard.vbs file. > > This is because of there is the following added entry in "userinit" > the location of the entry is > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ > Windows NT\CurrentVersion\Winlogon > > the added entry is something like > C:\WINDOWS\system32\userinit.exe,c:\windows\system32\wscript.exe,c:\windows\system32\VirusGuard.vbs > > So we have to make it as the default entry as > C:\WINDOWS\system32\userinit.exe > > Thats all we have to do. > > I am doing all this manually every time when i found this problem in the > systems. I know that it is also possible through vbscript. If there is a > single vbscript to do all this it will be very helpful for me. > So Please help me in fixing this issue through a vbscript. > > Thanks in advance.... > persistent then you haven't gotten rid of your virus. Trying to script the registry change is merely addressing the symptoms. You must now find out how to remove your virus properly. Install a good virus scanner or go to www.trend.com and look for "HouseCall" to scan/clean your system on-line. |
| My System Specs |
|
12-26-2008
| #3 (permalink) |
| | Re: Need a vbscript to fix virusguard.vbs effecting ie "Pegasus (MVP)" <I.can@xxxxxx> wrote in message news:ObwC%23m3ZJHA.2620@xxxxxx Quote: > > "Want some help" <Wantsomehelp@xxxxxx> wrote in message > news:5E720E4E-CB9B-4BDE-9C44-3BC16C3AAA28@xxxxxx Quote: >> Hi Guys, >> This is the first time i login to this vbscript forum. I need help >> really. >> Recently I found a name (Dipak Bhattrai) on internet explorer title bar >> insted of Windows Internet Explorer. I read some articles and found that >> all >> this is because of a culprit VirusGuard.vbs file located at >> "c:\windows\system32\" It is hidden. >> I also found the solution to getrid of this. The steps to follow are >> 1. End task the process called wscript.exe through taskmanager >> 2. Unhide all the hidden files and folders including the protected >> operating >> files >> 3. Go to c:\windows\system32 and find VirusGuard.vbs and delete that >> file. >> 4. Editing the following registry entry >> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title >> again as Windows Internet Explorer >> >> After doing all the above steps we will have the default title as Windows >> Internet Explorer. >> >> But still there is another entry in registry. >> The effect is everytime we start windows an error message will come like >> unable to locate c:\windows\system32\VirusGuard.vbs file. >> >> This is because of there is the following added entry in "userinit" >> the location of the entry is >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ >> Windows NT\CurrentVersion\Winlogon >> >> the added entry is something like >> C:\WINDOWS\system32\userinit.exe,c:\windows\system32\wscript.exe,c:\windows\system32\VirusGuard.vbs >> >> So we have to make it as the default entry as >> C:\WINDOWS\system32\userinit.exe >> >> Thats all we have to do. >> >> I am doing all this manually every time when i found this problem in the >> systems. I know that it is also possible through vbscript. If there is a >> single vbscript to do all this it will be very helpful for me. >> So Please help me in fixing this issue through a vbscript. >> >> Thanks in advance.... >> > If your manual registry change of "C:\WINDOWS\system32\userinit.exe" is > not persistent then you haven't gotten rid of your virus. Trying to script > the registry change is merely addressing the symptoms. You must now find > out how to remove your virus properly. Install a good virus scanner or go > to www.trend.com and look for "HouseCall" to scan/clean your system > on-line. > infected cd that repeatedly re-infects you. However, assuming your steps are correct (and they could well be incomplete if you keep getting reinfected), the following untested program might help. Note that it should be run using cscript, or stopping the wscript process will stop this script as well. ===== Option Explicit Dim strComputer, objReg, strKeyPath, strEntryName, strValue Dim objWMIService, colFiles, objFiles, colProcesses objProcess Const HKEY_LOCAL_MACHINE = &H80000002 Const HKEY_CURRENT_USER = &H80000001 strComputer = "." ' Terminate process wscript.exe Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\" _ & strComputer & "\root\cimv2") Set colProcesses = objWMIService.ExecQuery _ ("SELECT * FROM Win32_Process WHERE Name = 'wscript.exe'") For Each objProcess In colProcesses objProcess.Terminate() Next ' Delete file VirusGuard.vbs. Set colFiles = objWMIService.ExecQuery _ ("SELECT * FROM CIM_DataFile WHERE Name = 'c:\\Windows\\system32\\VirusGuard.vbs'") For Each objFile In colFiles objFile.Delete Next ' Modify IE title in registry. Set objReg = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\" _ & strComputer & "\root\default:StdRegProv") strKeyPath = "Software\Microsoft\Internet Explorer\Main" strEntryName = "Window Title" strValue = "Windows Internet Explorer" objReg.SetStringValue HKEY_CURRENT_USER, strKeyPath, strEntryName, strValue ' Modify Winlogon Userinit. strKeyPath = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" strEntryName = "Userinit" strValue = "C:\Windows\system32\userinit.exe," objReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strEntryName, strValue -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| "the family safety service has been disabled" error, effecting internet | Network & Sharing | |||
| Where is VBscript now? | VB Script | |||
| VBscript Help | VB Script | |||
| How to do No hang up VBScript (nohup for VBScript) | VB Script | |||
| Vista Bug Effecting Explorer 7.0 | Vista General | |||
