Saturday, December 8, 2007

Funny UST Scandal virus


How I removed Funny UST Scandal virus from my system.


Recently my system infected with a virus. I am using Win XP and using McAFee. But, McAFee did not recognise the threat at all.

Characteristics:
The virus is closing every program it thought might be dangerous to its existence. If I open task manager, virus is minimizing it to system tray. There are processes running killer.exe, smss.exe, lsass.exe. Yes, smss.exe and lsass.exe are system processes, but virus is running two processes with the same name. one process is running with the name smss.exe, while two processes are running with the name lsass.exe, in that one is system process, another one is virus.

I have already installed process explorer, otherwise I would have to download it from another system because when I tried to download it from the Net virus is closing the window. I have used this software to kill the above processes. In the process, before I am killing the processes virus is minimizing this process explorer to system tray, I am opening it from there, and I closed all the processes. Two entries are there for lsass.exe, one is child process for System process, another one is child for explorer.exe, this later one is virus process.

Once virus processes are closed, I took the following steps:

  • Deleted Funny UST Scandal.exe, smss.exe, and killer.exe in Windows folder, Windows\System, and Windows\System32 folder.
  • Checked and deleted root folder of every partition for these files and autorun.inf. In some locations I found xmss.exe also, they all have some icon. So, I recognised them easily.
  • Usually these files will be hidden. You can use “attrib –h –s smss.exe” in command prompt to unhide them and then delete. But, I have used Bullet Proof FTP for locating these hidden files and deleting them. As I have already installed the software I used it, you can download trial version. It is very easy by using this FTP client. With attrib command we have to go every location and issue command and then delete it. This BP FTP is showing hidden files, and I dont need to use DOS commands.
  • Deleted C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe. I have also deleted Desktop.ini files which are placed in every folder of Start menu for every user. I think this file shouldn't in those locations.
  • Used MSConfig command to clean the startup items, I have unchecked all suspicious processes from startup tab.
  • Using RegEdit tool, deleted Auto Play entries which are pointed to smss.exe
  • And then searched for “Funny”, “Killer”, “Smss”, and “lsass”. Be careful when deleting lsass keys as there is an important system process will be running with the same name. System copy of the file will be in the Windows\System32 folder.
If you find this information useful, please leave a comment below.

Related Posts:
Disabling auto play
Task Manager disabled?
Important steps when cleaning virus
What is this process?

This link contain more information
http://www.thinkdigit.com/forum/showthread.php?t=78794


If you like my blog, please subscribe to the feed using e-mail form at the right side or in a news reader.

8 comments:

  1. hi ,thank u so much ,u have helped me a lot as i was facing the same problem with this virus ur site has helped me a lot

    ReplyDelete
  2. bad trip talaga yan,. hay just a while ago i was also infected with that, i dont know what to do, my 'last resort, system restore, then ok n sya.. ok n ba un? o kailangan ko pa hanapin mga components nya?

    ReplyDelete
  3. Thank you Ms. Latha. Anonymous, I din't understand anything in your comment except two words.

    ReplyDelete
  4. U have provided us good documentation.
    Thank u very much...
    ---DJ

    ReplyDelete
  5. nakakainis nga toh dati eh... ung una pabalik balik sa usb ung virus pag sa windows XP pero pag sa windows vista pag binura mo hindi na babalik... weird!!!

    ReplyDelete
  6. Simply killing some in between class time on Digg and I found your article . Not usually what I want to read about, nevertheless it was completely price my time. Thanks.

    ReplyDelete
  7. Hi - I am really delighted to discover this. cool job!

    ReplyDelete

Latest Posts