Sign in to follow this  
Followers 0
2words4uready

Removal of Funny UST Scandal avi.exe UPDATED SCRIPT

26 posts in this topic

#1 ·  Posted (edited)

This script will remove the virus Funny UST Scandal.avi.exe UPDATED SCRIPT

its a godd thing i made this script earlier because i recieved the virus last night over yahoo messenger

VIRUS REMOVER PART1

run("cmd.exe")
send("cd\")
send("{ENTER}")
sleep(5000)
send("attrib -h -s smss.exe")
send("{ENTER}")
sleep(5000)
send("attrib -h -s autorun.inf")
send("{ENTER}")
sleep(5000)
FileDelete( "C:\smss.exe")
sleep(5000)
FileDelete("C:\autorun.inf")
sleep(5000)
filedelete("C:\Funny UST Scandal.avi.exe.exe")
sleep(5000)

VIRUS REMOVER PART 2

run("cmd.exe")
send("cd windows")
send("{ENTER}")
sleep(5000)
send("attrib -h -s smss.exe)
send("{ENTER}")
sleep(5000)
send("start c:\windows")
send("{ENTER}")
sleep(5000)
filedelete("C:\WINDOWS\smss.exe")
sleep(5000)
filedelete("C:\Documents and Settings\All Users\Start Menu\Programs\Startup\lsass.exe")
Edited by 2words4uready

READ BEFORE POSTINGMy UDF'sMessagesYou say plz because its shorter than please. I say no because its shorter than yes.Join My Website

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I am kinda lost what these scripts are supposed to do.

They start the CMD prompt, then type some command to just open the explorer and then to tell you to delete files?

How did you figure that these files should be deleted anyways?

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

I am kinda lost what these scripts are supposed to do.

They start the CMD prompt, then type some command to just open the explorer and then to tell you to delete files?

How did you figure that these files should be deleted anyways?

because of hours of tedious running on the cmd prompt while trying to remove this virus

on a friends computer the reason it tells you to delete the files is because i dont have the virus so it prevents me from automating the delteing part


READ BEFORE POSTINGMy UDF'sMessagesYou say plz because its shorter than please. I say no because its shorter than yes.Join My Website

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

This to me is like saying that "Format c:" also removes the virus if you know what I mean.

Let me put it this way:

When you are not sure about these type of things then just don't tell people to delete files but tell them to get a proper AV package installed.

Jos

Edited by Jos

Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

This to me is like saying that "Format c:" also removes the virus if you know what I mean.

Let me put it this way:

When you are not sure about these type of things then just don't tell people to delete files but tell them to get a proper AV package installed.

Jos

a proper av does not detect this virus

it was also made with autoit V3


READ BEFORE POSTINGMy UDF'sMessagesYou say plz because its shorter than please. I say no because its shorter than yes.Join My Website

Share this post


Link to post
Share on other sites

I found this on google, just changing the atributes and deleting infected files... http://www.bloggingindia.net/2008/01/09/au...-scandalaviexe/

gesller i wish i had known that earlier and i would have had to set for hours on the cmd lol

READ BEFORE POSTINGMy UDF'sMessagesYou say plz because its shorter than please. I say no because its shorter than yes.Join My Website

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

on a friends computer the reason it tells you to delete the files is because i dont have the virus so it prevents me from automating the delteing part

.. so you are basically saying you DONT KNOW why you do this?

i am suspicious why to delete the smss.exe?

thats part of the OP : "session manager subsystem" ?? it shouldnt be deleted ?

next :

"LSASS" oder Local Security Authority Subsystem Service

this shouldnt be deleted either !! or windows wont start again

so it can be really harmful if ppl accidently delete the files from the WRONG spot muttley

sorry: but for me your "antivirus script" looks like a bad idea :)

i better trust on a decent antivirus program (BTW the virus was already on the freeware avira antivir list somewhere in january..)

Edited by nobbe

Share this post


Link to post
Share on other sites

This to me is like saying that "Format c:" also removes the virus if you know what I mean.

Let me put it this way:

When you are not sure about these type of things then just don't tell people to delete files but tell them to get a proper AV package installed.

Jos

The virus also prevent you from installing anything

READ BEFORE POSTINGMy UDF'sMessagesYou say plz because its shorter than please. I say no because its shorter than yes.Join My Website

Share this post


Link to post
Share on other sites

gesller i wish i had known that earlier and i would have had to set for hours on the cmd lol

Google Is Your Friend!! LOL muttley

Share this post


Link to post
Share on other sites

The virus also prevent you from installing anything

When you have a virus you shouldn't try to install software nor keep running from the infected partition.

I use a WinPE CD to boot and run AV from there.

Jos


Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

.. so you are basically saying you DONT KNOW why you do this?

i am suspicious why to delete the smss.exe?

thats part of the OP : "session manager subsystem" ?? it shouldnt be deleted ?

next :

"LSASS" oder Local Security Authority Subsystem Service

this shouldnt be deleted either !! or windows wont start again

so it can be really harmful if ppl accidently delete the files from the WRONG spot muttley

sorry: but for me your "antivirus script" looks like a bad idea :)

i better trust on a decent antivirus program (BTW the virus was already on the freeware avira antivir list somewhere in january..)

However those files should not be in the root of the drive. And if they are then you have a problem. Same thing with virues that create a file named explorer.exe in the root of the home drive. Files found in the root will execute before files of the same name in the rest of the path.

George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

However those files should not be in the root of the drive. And if they are then you have a problem. Same thing with virues that create a file named explorer.exe in the root of the home drive. Files found in the root will execute before files of the same name in the rest of the path.

All true but remember that the worst virus is the user self. Their ignorance causes much more data/time lost than anything else thus it is important to know what you are doing before doing it and even more important tell other to start deleting files! muttley

Visit the SciTE4AutoIt3 Download page for the latest versions  - Beta files                                How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

All true but remember that the worst virus is the user self. Their ignorance causes much more data/time lost than anything else thus it is important to know what you are doing before doing it and even more important tell other to start deleting files! muttley

What a change this is !!! We agree right across the board. :)

The one thing that causes the most damage to a computer is the user and their total absence of fore-thought. I'm not too sure why th OP was using all those send()s anyway. The simple way would be to write the commands to a .cmd file then shellexecute() the file.


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Does anyone happen to have a copy of the autorun.inf file that this virus creates?


George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

Does anyone happen to have a copy of the autorun.inf file that this virus creates?

Refer http://www.avira.com/en/threats/section/fu...torun.fy.1.html for a sample. Funny how this seems to have struck in Pakistan/India mainly, the source of the first well documented malware all those decades ago.

Most reliable functional anti-malware programs should be able to detect and neutralise this worm by now.

Warning: The script originally given in this thread (and the updated version) will not completely remove this malware. As already mentioned, a little knowledge can be dangerous.

Edited by Confuzzled

Share this post


Link to post
Share on other sites

Fine, i've seen many of this kind, they aren't too dangerous, just write somethings to Registry , etc... and it's easier to remove them , but at least having a knowledge about it, this guy just tried to share somethings but at first he didn't know about it very well


[quote]Don't expect for a perfect life ... Expect a least troubles ones[/quote]Contact me : ass@kiss.toWhat I Have Done :Favorites Manager Mangage your favorite's folder, that's coolPC Waker For those who want to save stickersWebScipts Supporter For those who've just started with Web and WebScriptsTemporary Looker Simple but powerful to manage your Temporary folder, you know what you downloaded[UDF] _NumberFormat() Better performance on number display[UDF] _DirGet() What a folder contain [how many (hidden,normal,...) files], with one line of code[UDF] _IsPressEs() Just like _IsPress() but for a group of keys

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

Refer http://www.avira.com/en/threats/section/fu...torun.fy.1.html for a sample. Funny how this seems to have struck in Pakistan/India mainly, the source of the first well documented malware all those decades ago.

Most reliable functional anti-malware programs should be able to detect and neutralise this worm by now.

Warning: The script originally given in this thread (and the updated version) will not completely remove this malware. As already mentioned, a little knowledge can be dangerous.

I'm just working on a version that will remove it network-wide as a separate tool. I've done several AV scripts in the past that targeted a particular virus. From what I have discovered about this particular virus, some of the available tools do not work and others require that you run a separate app to remove it from USB devices. Since I also want it to remove the virus from USB drives/sticks which may have a legitimate autorun.inf file, I wanted to check the contents of the file that should be targeted. Better safe than sorry. Thanks all.

EDIT:

One thing that I forgot to mention is that this particular virus appears to be experiencing a resurgence and most tools check only C:\ drive while the virus actually propigates to all of your drives.

Edited by GEOSoft

George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0