Funny UST Scandal.avi Virus---Tutorial

[Abhishek Dwivedi]

Remove Funny UST Scandal.avi.exe (Vista and XP)


I came across many people (including me) who got infected by the Funny UST Scandal.avi virus. This tutorial guides you through the manual process of removing this Virus from Windows Vista and Windows XP systems.

Details:
1) This will block your Task Manager, Registry Editor and Command Prompt.
2) It hacks in your Yahoo Messenger and sends stupid and senseless messages to them and even a copy of itself. (ask gigacore if you don’t believe me!!!)
3) It will log your all key strokes and send them to an unknown email address through IM.
4) It slows down your system badly and reinstalling the OS will do no good.
5) It will disable the search and viewing of hidden files.

It’s built using AutoIt V3 virus programming software.--(source= some blog)


Windows XP:
This virus was made mainly to infect XP and Windows NT systems. In XP and NT systems, it makes the following files:
a) Killer.exe (4084 kb) in c:\windows\
b) lsass.exe (3920kb) in c:\documents and settings\all users\start menu\programs\startup
c) xmss.exe (4088kb) in all partitioned drives and in c:\windows
d) autorun.inf (1kb) in all partitioned drives with a script.
e) Funny UST Scandal.avi.exe in all partitions and Funny UST Scandal.exe in c:\Windows.


This Virus makes the following registry entries:
a) HKLM\Software\Microsoft\WindowNT\CurrentVersion\Wi nlogon
shell(killer.exe or xmss.exe)
b) HKCU\Software\Microsoft\windows\Currentversion\Run
Runonce(c:\windows\xmss.exe)

If the virus has completely installed itself, then you can find all these files in your system.

To remove this virus:
a) In order to removes the files, you’ll first have to stop the execution of this virus. To do so, download this file and run it.
b) Now open cmd.exe and go the above mentioned locations and unhide the files by typing: attrib –h –s Funny UST Scandal.exe for C:\windows and so on for all the other files in different locations. You might get an error while unhiding Funny UST Scandal.avi.exe which is placed in all partitions. If you get that error, just leave that file.
c) After unhiding all these files, delete them from your hard disk.
d) Download REPLACER and open it.
e) In the REPLACER type: c:\Funny UST Scandal.avi.exe and press enter. It will now ask you for another file. Create a text file named a.txt in C:\ and then type: c:\ a.txt and press enter. Press Y and press enter. Go to C: drive and there you’ll find 3 files named Funny UST Scandal.backup, Funny UST Scandal.exe and a Temp file. Delete them.
f) Repeat Step e) for all you partitions.


Windows Vista:
Files included:
a) xmss.exe (4088kb) in all partitioned drives and in c:\windows
b) autorun.inf (1kb) in all partitioned drives with a script.
c) Funny UST Scandal.avi.exe in all partitions and Funny UST Scandal.exe in c:\Windows.

Registry Entries:
a) HKLM\Software\Microsoft\WindowNT\CurrentVersion\Wi nlogon
shell(killer.exe or xmss.exe)
b) HKCU\Software\Microsoft\windows\Currentversion\Run
Runonce(c:\windows\xmss.exe)
The second key might no be present.

Removing the Virus:

To remove this virus:
a) In order to removes the files, you’ll first have to stop the execution of this virus. To do so, download this file and run it.
b) Now open cmd.exe and go the above mentioned locations and unhide the files by typing: attrib –h –s Funny UST Scandal.exe for C:\windows and so on for all the other files in different locations. You might get an error while unhiding Funny UST Scandal.avi.exe which is placed in all partitions. If you get that error, just leave that file.
c) After unhiding all these files, delete them from your hard disk.
d) Download REPLACER and open it.
e) In the REPLACER type: c:\Funny UST Scandal.avi.exe and press enter. It will now ask you for another file. Create a text file named a.txt in C:\ and then type: c:\ a.txt and press enter. Press Y and press enter. Go to C: drive and there you’ll find 3 files named Funny UST Scandal.backup, Funny UST Scandal.exe and a Temp file. Delete them.
f) Repeat Step e) for all you partitions.

As you can see that the procedure for both the OS is same just the files are different. I have tested the steps myself on Windows XP sp2 (my desktop), Windows Vista Home Basic (my lappy), Windows Vista Home Premium (my friends lappy) and Windows Vista Ultimate (my desktop).
Hope this guide is useful. Happy Removing…

[kpmsivachand]

Good info.... But you pasted two times of removing method

thanks..

[gaurav_indian]

I cant download that newfolderremoval.exe file

[Abhishek Dwivedi]

thx guys....i didn't double posted da steps...just reppeated den again for vista....
@gaurav: u moght not b able 2 DW da file as the virus migh b running on ur sys....try to terminate da XMSS.EXE file running as Admin. n den DWing...

[pushkaraj]

nice tutorial. thanx

[PCWORM]

Thanx a ton man...
my pc is infected with the same virus..

[phreak0ut]

Very informative. Thanks

[Abhishek Dwivedi]

thx for da comment...hope it helped u all

[ajayritik]

Thanks for the information. I have tried with couple of suggestions from the net but they didnt work. I will try your suggestion and see whether it helps. This Virus has created a menace.

If these steps have worked for anyone can they reply please. I'm having hell of trouble with it.

[Abhishek Dwivedi]

it has wrkd for me...try it...

[ajayritik]

Abhishek the virus actually infected my PC through iPod. Do you know how we can remove it from the iPod?

[PCWORM]

Quote:

Originally Posted by ajayritik

Abhishek the virus actually infected my PC through iPod. Do you know how we can remove it from the iPod?

If there's any provision of formatting ur player,,,do it,,,i did with my pendrive
and the file was wipedout,,,
And thanx topic-creator,,ur solution has worked 4 my pc,,,thanx a lot...!!!!

[ajayritik]

Quote:

Originally Posted by PCWORM

If there's any provision of formatting ur player,,,do it,,,i did with my pendrive
and the file was wipedout,,,
And thanx topic-creator,,ur solution has worked 4 my pc,,,thanx a lot...!!!!

Hey I got confused when you were Thanking topic-creator I was actually searching for someone by that name in the posts but I think you were thanking Abhishek. I will try the steps given by Abhishek.

I heard somewhere that we should not format the iPod. We need to restore it. Since I'm not able to connect to the internet can I restore(format) the iPod using some software that I can download from my friend's PC. I have the CD that came with the iPod but that has an older version I think.

[Zeeshan Quireshi]

Quote:

Originally Posted by Abhishek Dwivedi

It slows down your system badly and reinstalling the OS will do no good.

I have a doubt with this One .

How can Reinstalling the OS , NOT remove the virus ?

[zyberboy]

^^becoz it easily gets infected again when opening other drives.

[koolbluez]

=I never faced big prob from this harmless virus. all i do is Ctrl+alt+delete... close xmss.exe, funny....exe in task manager processes, "search"(incl hidden files) in the suspicious usb/drive for xmss, autorun.inf & funny terms and delete these 3 culprit files. Remove the usb & put it back into slot. Then it's as good as new !!!! No dos, no live cds...!!!

Never got that killer.exe.. in my drives at all!!! Now, why did that happen?

What i did is tried and tested... worked for all the drives/usb sticks my friend's got/brought...

[ajayritik]

I was able to access my computer and other drives using the New Folder thing but I'm unable to use the attrib command to delete the files. Infact I can't locate these files.When I use Replacer to replace the file it gives Access denied message.

[Abhishek Dwivedi]

@ajayritk: which OS do u use...try booting up with Linux and searching all 2-4MB sized file with X,S,M,A,U,AUTORUN wrd in them and delete the one which are marked above...
also download ULBLOCKER and install it and unblock da files in which u get access denied

[ajayritik]

Thanks for the information Abhishek! Just a small update after my last post. When I logged into Safe mode I was able to locate the files and delete them as well. Same was the case with deletion of the keys in registry. I have Windows XP SP2. With regards to Linux I dont' have any Linux CD except for Kubuntu. I tried Kubuntu but I dont know how to access or browse through the directories in Kubuntu. Can you explain about it?

[PCWORM]

Quote:

Originally Posted by ajayritik

Hey I got confused when you were Thanking topic-creator I was actually searching for someone by that name in the posts but I think you were thanking Abhishek.

sorry 4 that,,use slax os to delete the files...the interface is simple as winxp

[topgear]

Great Trick
Keep up the good work

[sun_rane007]

Thanks dude Nice tuts

[angad.ssingh]

I think this link would be usefull in addition to the above

[phuchungbhutia]

Nice info . . I had this virus and i removed those files with ubuntu cd . .

[Abhishek Dwivedi]

what do u mean nirjhar???