I Killed The Funny UST Scandal Virus
I got this virus about a month ago when suddenly my colleagues plugged in his USB flashdisk into my laptop. It was like “Argh” moment of despair and anger. But this helps me to solve the problem eventually. My friend, Fandi, used to chat around about computers and viruses. He used to breed some, too (keeping virus in his local harddisk, ZIP it, and show it to his friends). It’s not that he wants to harm everybody, but to share his knowledge about the virus. The same way I’m doing this to you now.
Here is the summary I got from TechPinoy Online:
General Overview:
Software used to build the virus= AutoIt V3
drop Files- killer.exe(4084 kb) in c:\windows\
lsass.exe(3920kb) in c:\documents and settings\all users\start menu\programs\startup
smss.exe(4088kb) in all root drives and in c:\windows
autorun.inf(1kb) in all root drives with a script
Autorun Command:
[autorun]
open=smss.exe
shell\Open\Command=smss.exe
shell\open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\command=smss.exeThe Symptoms:
Creating hidden file of Funny UST Scandal.avi.exe(228kb) in all root drives
Disabling “Show Hidden File” and “Show System File” in Folder Option
Immediately closing down every Folder Option and Regedit windows opened (Disabling you from changing it)
How to Kill it?
If you are already got the symptoms, you can either follow my steps or just download the 1 type virus removal from PinoyTech.
The point of this steps is to disable the task already run in Task Manager and recover your registry regarding Folder Option items.
There are two alternatives, you can either download task killer from here or download processxp from here
For Task killer:
run taskiller and left click it on the system tray(the one with a skull icon)
click processes
to close the virus, select process and click yes to the question
(process to close)
- killer.exe
- lsass.exe (careful with this, this is also valid Microsoft process)
- smss.exe (in my case it was xmss.exe, also careful with this)
Note: close only file that have the same icon of Funny UST Scandal.avi.exe
For ProcessXP:
Run ProcessXP
It will run as a replacement of your Task Manager, which will be closed by the virus immediately. But fear not, it won’t closed, but it will be minimized to your system tray icons.
Quickly search for the “alien” process and press Del to kill it. In my case, I only delete the xmss.exe, and it’s gone! The virus will not be active anymore, unless you accidentally double click it.
This is how the icon looks like (it’s a masterpiece of an icon, but dangerous!):
The steps doesn’t end here, you still need to remove the funnyustscandal.avi.exe file from any hard disk drives directory that you have (only the hard disk directory, not deeper than that).
Another Two Alternatives:
Since you can’t view the file (it was hidden by the registry entry made by the virus), you must clear the registry first:
Download ANSAV antivirus from here.
Run the antivirus, select the Registry FX plugin by Eko Sugiarto. Check the “Show Hidden File”, “Enable Folder Option”, and “Show File Extension”. Click Restart Explorer. Then You can see those hidden files.
Delete the funnyustscandal.avi.exe from every drives directory (including your removable disks)
Other way, with Command Prompt (from TechPinoy Online):
1-now, click “start” then “run”
2-type “cmd” without quotes
3-type “cd\” without quotes
4-type “attrib -h -s smss.exe” without quotes
5-type “attrib -h -s autorun.inf” without quotes
6-type “start c:” without quotes(a new window will open)
7-select smss.exe,autorun.inf,Funny UST Scandal.avi.exe and delete itIf theres any drive or a partition type “d:” in command prompt without quotes
“d” is the drive letter then repeat the CMD STEPS number 4-7 above…….
- now type this on the command prompt “cd windows” without quotes
- type “attrib -h -s smss.exe” without quotes
- type “start c:\windows” without quotes
- delete the file smss.exe
- now, goto c:\documents and settings\all users\startmenu\programs\startup
- delete lsass.exe
Final steps
Destroy these registry entries by running REGEDIT from start menu, “run”, then type “regedit” and enter:
This is how ProcessXP looks like:
Don’t let such a virus disturbs you and don’t rely on antivirus too much. Read this article for more information (in Indonesian):
- 5 Alasan Untuk Tidak Sepenuh Hati Percaya Antivirus
- Funny UST Scandal Avi.Exe Remover
- Generic problem for all Operating Systems Funny UST scandal virus
Update (January 26th, 2008):
I just try out a remover tool by ghigz (you can see his/her comment down below) and found out that it can remove the funny ust scandal automatically. But still, it doesn’t throughly search your PC for the source. For this experiment I run the virus in my PC from a compressed zip file. It’s true that the virus had vanished, but the registry wasn’t fully fixed and the source file were not deleted. Yet I tried again those steps above to manually remove the virus permanently.
However, I recommend this remover tool for you to download from ghigz’s link or mine. All you need to do is:
1. run the remover tool,
2. fix the registry, and
3. search for funny ust scandal.exe or xmss.exe or smss.exe in every hard drive directory
Tags: computer, funny ust scandal, ProcessXP, TaskKiller, virus
thank you…^^::^^
nice tutorial ! is really working, got rid of this f**King Virus ! Thanks
i know how to remove funny virus .step 1 first close all the applications that are running on your systen and then install quick evaluation copy then go to antirootkit run and it will delete all your funny uts scandal virus
thankuuuuuu verrrrrry mucccch.It is working now i will not be fed up of this virus
@Gelly:
@Amit:
@Razer:
Thanks a lot, u helped me a lot.
i never forget u my dear friend
wow…. thanks for this info….
matutuwa ang mga friends ko nito….
sa wakas madedelete n din sa kanilang pc ang virus na ito…
thks a lot…. ^^
@Niranjan & Michael:
This is great, I think most of the people who read the tutorials understand clearly.
good tutorial, thankz dude
thank you for this information… i learned a lot from this and truly effective… thanks again…
i dont understand the last step.the regedit things.I typed regedit in start\run:What should i do next?
@capub:
Thank you for alot of info about the virus!
But I’m still having trouble though. It seems the one I accidentaly have is a heavier version of the virus. I followed your steps but once I start running the TaskKiller, it would crash to desktop after a few seconds. I still managed to install though by being quick the second time around.
I then ran TaskKiller and I was surprised to find only smss.exe, without killer.exe, and there was only 1 lsass.exe which I cant tell whether its a small L or a capital i.
Another problem would be the command prompt or cmd which the virus seems to be blocking as well because it closes as soon as I run it.
I hope there are ways to fix my problem because I virtually cant use my laptop right now
@Bobby:
I hope this will solve the problem
Thank you sooooooooooo much the regedit thing helped me get rid of this virus
Never heard of the virus, but I will sure keep my eyes open for it.
Jan 22nd 2008- I will let you know how I do. From what I read, this will work. By the way, who turn was it to watch the virus when it got loose?
I found a link:
http://www.4shared.com/file/30402575/d70dafa8/Remover.html
I need the original Virus back to see if it worked.
My ‘A’ drive is quiet now though. can someone sen me the virus in a zip file?
cheers mate..
that virus is a real pain in the ass.. >.<
@Sahil:
@Leon:
@Magic:
@JP:
http://www.geocities.com/six519/Remover.zip
download nio lng toh
@Ghigz:
thanks for the path to the truth. but i don’t think disabling the regedit is necessary. anyway, you saved me from formatting! thanks a lot!
hello friends,,,,
this is the removeal of funny scandal.avi.exe and autirun.inf…. pls download this exe..file and install it….
the funny virus is to funny when ever ur instaling any software it automatically remove the installing file….so pls dont clik on the funnny.avi.exe….ok thank
When I wenr through regeit,it said THe value of shell was explorer.exe………..is it safe?Or should I delete it?
thanks to this guide. ^__^
@Matthew:
hi
nice post!
please help me i dont know how to kill the f****ng virus!!
@Jason:
dude thanks a ton man thanks a lot trust me u have saved me i had my presentation tomoro thanks a lo again!!!
@Sid:
Thanks alot this really helped me. Its very interesting………..
sir this vorus has fully damaged my pc please send the removal ….
My sister’s PC got infected last night after I had plugged in my USB pendrive which I was not aware had UST virus on it. I saved the remover on diskettes and it only got infected and I cannot open it anymore. I wonder if it will do the same If I burn a copy of the remover and other programs to a CD then run everything as per instructed here. I only had one USB pendrive which I believe will infect my PC here at work if I plugged it in here to copy my remover…Please advice, thanks a lot….
@amit:
@aeronagean:
hey help…i got infected with this f*ckin virus i try evrything just to get rid of these but nothin works…..am desperate for help…whoever did these virus wish him luck….am so mad…
hi why it didnt work for me
evrytime i type those command it says file not found..now i cant open the internet…am lost o dont know what to do..help…
hi, my problem is not this virus,
my problem is i have my ‘folder option’
its there in tools menu and its opening also, but whenever i click on show files radio btn, it accepts, bt when i apply settings and again open folderoption all settings are restored as original,
means i cant register my values of folder option,
i also tried to change few registry values like show superhidden and show hidden files to 1.
bt still its not showing,
i have changed local machine and current user both settings,
please help, i have not formatted my laptop for 2 years already, and i dont want to do this, just one problem left, all others are fixed already!
thank you
_rAvi
@Ravi:
sir , i have follwed your advice but it delete that’s time only when i restart my computer it will come again . what i shoud do plz tell me. i wait for ur hournable reply. i used windows xp
@Moorthi:
thanx sir,
awesome dear…thanks for the information…i was wandering hw to remove funny ust scandal virus frm my computer…but lemme thanks ANSAV antivirus…it gr8
hey brother thanks verry much i was know of the fact that my computer have virus but never done anything for this but when day i found my disk space is going low and i m not able to open folder option and task manager then realised to do something about that
then downloaded software ansav and scanned and found 63 viruses
first word came on my mouth is “sh*t”
but u helped me a lot thanks bro
*strong words edited
hi gr8 job
my problem is ,only my “show hidden files and folders” in the folder option is not working. I dont know much about a pc and please help me to solve my prob in a simple way plz ………
u said that lsass.exe and smss.exe are valid Windows process. if that so, how will i be able to determine the valid one from not?
i used already task killer to delete those two exe but whenever i turn on the pc, it keeps coming back.. though, my task manager and folder options are working properly.
pls help..
@hareesh:
@chadrey:
Need help.. My laptop was infected with UST. and I managed to clean it by format(though needed to format all the drives).
How can I clean USB - Do I right click on the drive and format that?
I wan know how can i be sure that the cds that I have played during the time of system infection are infected or not.
Also I used the USB drive in laptop and used the same USB in my car stereo. I am sure that USB is infected. Will it effected my car stereo system?
in folder option whenever i enable “show hidden file” option and press ok it automatically changes to “dont show hidden files”
rest all other problems are solved.
is the virus still in my pc
if yes how to solve this problem..
@Ashish:
@vivek
I picked up this virus whilst on a business trip to Sri Lanka. It began to eat my laptop! Thank you for taking the trouble to find a bullet for this one, much appreciated. The guidance was very clear. Keep up the good work!
i want to remove funny ust scandal virus from my computer
THANKS…………………..
I use ANSAV I was able to show the hidden files. But folder options:
Do not show hidden files and folders
Show hidden files and folders
are not marked.
and after i marked the Show hidden files and folders, all the hidden files will not be shown again and i need to use ANSAV again to show the hidden files. Can I do somthing to fix this? thanks for your help.
@pocoyo:
followed the tutorial and thanks again for sharing
thanks a lot mate… helped a lot
could someone possibly upload the virus zipped for me?
would like to test my self made remover which should
even fix the “show hidden file” issue…
It’s unfortunate that any email provider will scan it as a virus before you can download it -.-
no chance via rapidshare or mihd.net?
or any other filehoster?
Oh, crap, I forgot those. Unfortunately, mine already deleted -.-
too bad…
well some lost hours more coding stuff i can’t actually use…
thanks anyway
got my hands on the virus and finished the remover…
if the solution by firewalker and the app from PinoyTech did work out for you just ask here and i’ll upload the tool… its also fixes the restore
hidden file issue…