# Funny UST Scandal Virus



## me_ankitroy (Feb 5, 2008)

Friends,

Can any one tell how to remove this virus....................It doesnot goes even after Reinstalling Windows..........


----------



## hullap (Feb 5, 2008)

*4paisa.blogspot.com/2007/12/funny-ust-scandal-virus.html


----------



## mediator (Feb 5, 2008)

Yeah, this one is going popular I guess!
Neways, the fix is simple! The virus simply copies 3 files in ALL THE PARTITIONS and then when u reinstall windows, it simply auto executes from the files copied to different drives/partitions.

Fix : U need to get those files removed FROM ALL THE PARTITIONS.

Files : 'smss.exe', 'Funny UST scandal.avi.exe', 'autorun.inf' (in all the partitions) and then 'killer.exe', 'net.exe', 'net1.exe' AFAIK in c:\windows\system32

U can search for where the last 3 files exist.

Probably, u won't be able to delete those files as the explorer closes if u open task manager, run anti-infection-ware or try to access those files.

So, the best way is to get a knoppix cd, and delete these files manually and may be then do a reformat+reinstall as a last option!!


----------



## zyberboy (Feb 5, 2008)

download kav 6 trial version and do a scan after update *www.kaspersky.com/ 
i hav done the same in one of my friends computer,kav detects it.


----------



## utsav (Feb 5, 2008)

There is a thread in tut section to remove this virus


----------



## vaibhavtek (Feb 5, 2008)

just move here


----------



## ajayritik (Feb 5, 2008)

Even my PC is got infected with this virus and it's giving lot of trouble to me. I'm going to check the resolution provided by Abhishek in the posts!


----------



## vaibhavtek (Feb 5, 2008)

I never founded *Funny UST Scandal Virus* in my pc..!!! 

@ajayritik btw How do u got that *Funny UST Scandal Virus*


----------



## mediator (Feb 5, 2008)

Damn, I cud have emailed it to u. Cleaned mah PC, just a week ago!!


----------



## ajayritik (Feb 5, 2008)

mediator can you email the process to me at my address. You can leave a PM of email address I will mail then you can send me a reply. Vaibhav I connected my friend's iPod to my PC which had that virus.


----------



## mediator (Feb 5, 2008)

The process is the same! What I did was
1. Fired up knoppix 5.1 (Linux distro) and deleted the files I mentioned
2. Formatted the C: drive and installed a clean copy of windows on it.

This one is a nasty virus. But wth, I was about to reformat/reinstall anyways as the windows was working slow again these days.


----------



## ajayritik (Feb 5, 2008)

mediator thanks for the info! I don't have the knoppix cd with me. Any other work around for it. Is it really necessary for me to format the C: I was thinking  if i can do without reinstalling and formatting C: I found the virus in other drives also do you think I need to format other drives as well. I have lot of data in other drives. I hope I dont have to format the other drives. Where can I get the knoppix CD?


----------



## utsav (Feb 5, 2008)

Either download it or get it frm me


----------



## dOm1naTOr (Feb 5, 2008)

I think ive a copy of this funny UST SCandal virus on ma Phone W 700i which got copied into it due to autorun. Ive removed it from PC but its still there on ma phone. Nd i havnt plugged it again


----------



## mediator (Feb 5, 2008)

Nah, u don't necessarily need knoppix CD. But having one can be more useful than u can think of. It can save u when ur Hardisk has gone nuts and refusing to boot or windows not showing its face. U can do word/presentations quickly, backup data and much more. Its a complete OS on a CD.

But even if u have recent DIGIT cds, then also Ubuntu can back up the data and help u delete those files.

But neways, u don't have to format!! U asked what I did, so I told. U only have to delete the files I mentioned and thats upto u whicheva way its convenient 4 u to delete em.

In 2nd post there is a link which doesn't mention all the files I did, bt mentions some additional files. U can delete all these files which I mentioned+the link one.

I think u shud give a try to windows 98 startup floppy if u don't have knoppix and then delete those nasty files.

But I wud really suggest knoppix to anyone who does thorough maintenence of his PC. Just check it out, its around 700 Mb download ( ISO file )and u have to burn it on a CD and then boot from CDROM.


----------



## ajayritik (Feb 6, 2008)

mediator I have the latest kubuntu CD with me. Do you think that can help me in anyway? I'm trying to download the Knoppix. What is the exact procedure that I should follow if I have the Knoppix CD with me or if I have the kubuntu cd?


----------



## dOm1naTOr (Feb 6, 2008)

Just use the live CD to boot into in nd u can clearly see those files in respective locations . U just delete those nd do a clean install of XP after formating the current one.
Me too once removed this funny thing using a LIVE windows disc nd a clean reinstall after a format of c.
It wont work if u dun format the current windows as the virs will get back from some system files[inside system 32 i think-nd the file name is different inside that].


----------



## ajayritik (Feb 6, 2008)

What is Live CD?


----------



## zyberboy (Feb 6, 2008)

^^ *www.nu2.nu/pebuilder/


----------



## praka123 (Feb 6, 2008)

ajayritik said:


> What is Live CD?


basically,livecd's are GNU/Linux CD's/DVD's which can boot from CD and run the Linux OS from CD instead of hdd.
*en.wikipedia.org/wiki/LiveCD

even live usb's are there 
*en.wikipedia.org/wiki/Live_USB

now so called win live-cd's are there.but they cant come near Linux livecd's when it comes to immunity as win viruses cant do anything in Linux


----------



## ajayritik (Feb 6, 2008)

Thanks for the info praka! I have Kubuntu CD with me do you think that will server the purpose? Can you suggest me how I can remove this virus using kubuntu software?


----------



## mediator (Feb 6, 2008)

I dunno abt Kubuntu, bt I guess it shud do. If u r downloading Knoppix then let it download as well.
1. Download the ISO file
2. Burn that image to a CD
3. Boot from that CD
4. "Search and destroy" the mentioned files.
5. Boot with XP CD
6. Reformat C:, Install Xp!!


----------



## ajayritik (Feb 6, 2008)

Right now I'm downloading Knoppix. But I wanted to know how 
I could do the step 4 that you have mentioned. Do I have to use any application to search the files? Thanks!


----------



## mediator (Feb 6, 2008)

Nope! I guess u r thinking linux is difficult. But neways, u don't need to search also. The files smss,UST scandal,autorun etc reside in the roots of the partitions like in c:\,d:\,e:\. I have mentioned about all.


----------



## mediator (Feb 6, 2008)

I wonder y others didn't post this before!
*www.thinkdigit.com/forum/showthread.php?t=78794


----------



## dOm1naTOr (Feb 6, 2008)

there are fixes for this file nd the hack just stops the service of this virus....nd u can manually delete them from within windows itself, but it will not be removed from windows system32 folder. So after that do a format nd clean install of XP wud do the job...
DO u want that fix?


----------



## ajayritik (Feb 6, 2008)

Sure I want the fix can you provide it to me?


----------



## dOm1naTOr (Feb 6, 2008)

*www.mediafire.com/?1mhfm5wynha


----------



## ajayritik (Feb 7, 2008)

I ran the Kubuntu Live Cd but I dont know how I can access the files or how can I delete them. there are things like /etc /bin. The interface is not like Windows Explorer or command prompt. How do I locate the file? Do we have any application in kubuntu which resembles like command prompt. I think I have to figure it out which folder or directory I have to access. Is there anythhing called mount thing necessary here? Can I get Knopixx from Digit CD?


----------



## lywyre (Feb 7, 2008)

Some times, it takes time for our favourite AV company to find a cure for the damnest latest virus. In the mean time we will be suffering with our super secure Windows XP with Service Pack 2.

But most of the virus has some characteristics. First, they are files like any others and executables like many others. Two, they need to be run/triggered or they need any host to run like a parasite (like running under explorer.exe) or they may camouflage themselves as some other windows programs/services (svchost.exe, spoolsv.exe, smss.exe, csrss.exe). And most of them are have system attribute from being detected in the explorer. And yes, they disable/screw up folder options so that we don't see them any way. And lastly they all steal data and they all mass mail themselves to email ids they harvest from our systems.

Most of them can be removed by us manually. It would be time consuming, frustrating and irritating. But they can be removed. Most common places they reside are: %WINDIR%, %WINDIR%/system32, %TEMP%, My Documents, root of the drives. Some are triggered by opening the folder (Autorun.exe), custom script of the directory (desktop.ini) or by double clicking (like having the icon of an image file).

Most of us have forgot the lame, useless, complex (and what not) command line. Truth is, command line is more powerful, smart and effective than the gui. With combination of certain free tools, we can remove most virii/trojans using command line.

Tools required: ProcessExplorer and Autoruns from Sysinternals.com (now Microsoft) and cmd.
*technet.microsoft.com/hi-in/sysinternals/default(en-us).aspx

Run process explorer and endtask explorer.exe, and virii/trojans that run under it. Warning: donot end any task that run under 'Services', unless you know what your are doing. It is better to close any IE windows too. Need not worry about firefox/opera. Don't close ProcessExplorer yet. If your task manager is disabled you cannot start explorer again. 

From the menu choose 'Run' and run 'Autoruns.exe' from where you have saved. This will list all the programs that run during startup. Note down the locations of malware and navigate to that location in the command window and delete the file. The file may be marked system, in that case, the attrib can be changed using the command '\>attrib -s -h -r filename.ext'. Delete all the autorun.inf files from the root directories. Now delete all the malware entries in Autoruns.exe. Now start the explorer again using "Run" in ProcessExplorer.

This can be effective against most malware that spread through portable storage devices and I use this method to remove Semo.exe, amvo.exe, d.com and some other malware that get into my system. Hope avast finds this soon.


----------



## rollcage (Feb 7, 2008)

Hey ,, its a spyware not virus, thats why not removed by the AntiVirus ..techinical diff haha. wtf.
I use ESET System Security.. that has everything built it, with NOD32  AV

This virus that you got comes from Pen-drives generally.

Anyways to remove follow this-

try what posted here and 
 *www.thinkdigit.com/forum/showpost.php?p=739618&postcount=3 

If you running XP .. 

1. boot in safe mode,
2. Login with Adminstrator
3. Show all hiddden files,
4. you will see three files in the root of every Drive,
Delete those three files.
5. Restart hope you are done.

Give It a try!


----------



## ajayritik (Feb 7, 2008)

Well finally I was able to delete these files as suggested by you and some others members of the forum. But I'm still unable to connect to the internet. I was able to resolve the problem but I think the problem maybe partially solved. I followed the instructions given by Abhishek in the following thread.
*www.thinkdigit.com/forum/showthread.php?t=78794

But in the above thread I'm unable to perform step e for removal of virus using Replacer program. And one more thing I heard that this thing comes back again unless we format the C: because it may reside in other folders etc. 

How do I make sure that this thing is not there on my PC. I remember doing almost all the steps given in the internet except the ones which suggest me to use a knoppix CD.


----------



## mediator (Feb 7, 2008)

I guess registry entries wont be able to do nething if the bad filezz aren't dere and if filezz get removed u'd be able to clean the registry entries afterwards too!!


----------



## rollcage (Feb 7, 2008)

@ajayritik

just install Avira Security or Eset Smart Security 3.0.621 then give it try.


----------



## ajayritik (Feb 7, 2008)

I already have Eset Smart Security on my PC.


----------



## rollcage (Feb 8, 2008)

then may be you have 1 more virus


----------



## ajayritik (Feb 8, 2008)

Was that a joke rollcage?


----------



## nepalidevil (Feb 24, 2008)

hey no need to use live cds. just write a batch file
tskill killer            
tskill smss              (if there is smss in startup)

and afer that u can use mediator trick
deleting the files
see the virus also copies itself on root drive so be careful
use winrar or nero to delete the virus
and it copies it self on startup so delete it also 
and after that use the registry cleaner to clean the registry.

see the virus just copies itself on rootdir. system dir. and startup dir.
you just have to delete all the files. the virus have all same icons.
and they are superhidden also.


----------



## rollcage (Feb 25, 2008)

ajayritik said:


> Was that a joke rollcage?


ok sorry for that ya,

Actually ... I did got this virus in january, when I borrowed my classmate's pen drive for practice papers. 

I had at that time I think Avira, (I keep on formatting n experimenting), then i found that it did recognised it but didnt delete it.
wtf .. I said ..
I noticed that there is a file in every Partition root,
(you can see that after enabling the hiddenfiles n system files)
it came againafter deleting them ..
so I booted in safemode.. and deleted those files.. done
but when I restarted there was still files coming up
then after searching for google.
found out that killer.exe n few others are copied by it in windows installtion, and that file runs so that it recopies that files back to where you manually deleted it.
so...
then Got to eset nod32 AV 3.0.621, it helped removed it completely,
some of it removed by it .. some i tried my self removing from safe mode.
just searching those file names again n again..before its completely gone when NOD32 got it.

now you have to try that ..but still strange that you havent been able to remove it.



ajayritik said:


> How do I make sure that this thing is not there on my PC. I remember doing almost all the steps given in the internet except the ones which suggest me to use a knoppix CD.


thats actually very simple .. search for those files from windows root.

tell whats the status ... plz for godsake ...


----------

