Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).
Its not a funny video
According to McAfee, this worm is known as W32/Autorun.worm.g.
It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.
XMSS.exe Win32 AutoRun Files
- x:autorun.inf
- x:xmss.exe
- x:Funny UST Scandal.avi.exe
- %Windir%\autorun.inf
- %Windir%\xmss.exe
- %Windir%\Funny UST Scandal.avi.exe
Fixes Win32 AutoRun.* Worm
Here’s a few step to prevent Win32 AutoRun Worm.
- Disabled System Restore for Temporary - KB 264887
- Boot Windows in Safe Mode - KB 315222
-
In Windows Safe Mode, Open Windows Registry Editor
Windows Start > Run > Regedit
-
Browse to the following registry settings ↓
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- Replace
explorer.exe, xmss.exe with exporer.exe
- Delete all the following files
- C\autorun.inf
- C\xmss.exe
- C\Funny UST Scandal.avi.exe
- X:\autorun.inf
- X:\xmss.exe
- X:\Funny UST Scandal.avi.exe
- %Windir%\autorun.inf
- %Windir%\xmss.exe
- %Windir%\Funny UST Scandal.avi.exe
%Windir% refers to the Windows folder (e.g. C:\Windows, C:\WindowsNT) and X: is drive letters used by a removable or network drive
- Clean All Windows Temporary Files
- Restart Windows
XMSS.exe Win32 Autorun Variants
VirusTotal.com - Dec 2007 Results.
| Antivirus | Version | Last Update | Result |
| AhnLab-V3 | - | - | - |
| AntiVir | - | - | - |
| Authentium | - | - | - |
| Avast | - | - | - |
| AVG | - | - | - |
| BitDefender | - | - | - |
| CAT-QuickHeal | - | - | Worm.AutoRun.abt |
| ClamAV | - | - | Trojan.Autoit-6 |
| DrWeb | - | - | - |
| eSafe | - | - | suspicious Trojan/Worm |
| eTrust-Vet | - | - | - |
| Ewido | - | - | - |
| FileAdvisor | - | - | - |
| Fortinet | - | - | W32/Autoit.BG!tr |
| F-Prot | - | - | W32/Trojan!c4a4 |
| F-Secure | - | - | Trojan.Win32.Autoit.bg |
| Ikarus | - | - | Virus.Win32.AutoRun.pc |
| Kaspersky | - | - | Trojan.Win32.Autoit.bg |
| McAfee | - | - | - |
| Microsoft | - | - | - |
| NOD32v2 | - | - | Win32/HackAV.P |
| Norman | - | - | - |
| Panda | - | - | Suspicious file |
| Prevx1 | - | - | Trojan.DoS.Win32.Opdos |
| Rising | - | - | Worm.Win32.Autorun.jax |
| Sophos | - | - | - |
| Sunbelt | - | - | - |
| Symantec | - | - | - |
| TheHacker | - | - | Trojan/Autoit.bg |
| VBA32 | - | - | Virus.Win32.AutoRun.pc |
| VirusBuster | - | - | Trojan.AutoIt.BB |
| Webwasher-Gateway | - | - | Riskware.HackAV |
8 Responses to “How to Remove Win32 AutoRun Worm - Funny UST Scandal - XMSS.exe”
but i open safe mode after restor temprary off then i write on regedit on run buut the hide alll things they not show above picture setup
here's a quickie.
once i'm in safe mode(admin) and i type regedit, and i'm just starting to browse,EVERYTHING just disappears,and refuses to open again,..what should i do!?...plz i need help
↑ mina - download killbox used it to delete xmss.exe inside all the folder at step 6.
Thanks GUYS!!!! I owe you a lot!!! that virus won't get rid of my PC! I'm hoping that with your advise, I may be able to delete permanantly the not reall funny worm.
Remove Funny Scandal without any anti virus
Remove completely funny ust scandal avi.exe(virus) from your hard disk without using any anti virus and just installing fresh copy of window. This is done by jitender kumar. For any problem regarding viruses contact me on my e mail id
Funny ust scandal.avi.exe run these files :
If your computer corrupted with funny with xmss.exe then you :
And if funny with smss.exe then you are in some better condition . ok now apply this steps and give me reply and your experience on my e mail id and you can be my friend. Ok best of luck so for removing this virus you must install windows at one time and following these steps you will remove this virus.
- install a fresh copy of window by formatting any drive.
- do not open any drive(after installation of window) before removing virus from your system.
- make a restore point
- in folder options
- (a).check mark before shows hidden files and folders.
- (b).unmark the option hide protected operating system files ( recommended )
- after applying this options check one more time that they are applied or not they must be applied-shows virus is not corrupted your windows
- open search and select all files and folders and mark on more advance options (search hidden files and folders,search system folders, search subfolders)
- search autorun file from all drives(just within drive) and delete them, after deleting these files right click on each drive and check there is autorun option or not, it shows virus in your drive now restart your system the autorun option will not be there in right click on drives
- now open drive and delete virus like funny ust scandal, smss.exe, xmss.exe
- now again check the folder option selected option must be applied if they are not applied or it does not show hidden files and folders it means you did any mistake by following these steps and virus corrupt your windows, now restore your system and repeate from step 4.
- delete this viruses from the folder RECYCLER in every drive, this virus must be at least one folder in recycler folder of each drive .
- from folder option unmark the option hide protected operating system files.
ORanother solution for removing this virus first follow above 4 steps and then try this trick
Jitender kumar
MCA student of software engineering
MIET Engineering college, Meerut
UP, INDIA
Gmail email icon generator by http://services.nexodyne.com/email/ ~ed
whats us the correct anti virus software for this problem,,,,,
firstly you have to downloads killbox.exe to enable you to delete the xmss.exe file....you must delete it in every partition of your computer and after that you can adjust the regsitry and use the antivirus,the other 2 file just ignore it and delete it using antivirus...i use ↓
but must remember to turn off the system restore first...anythings...ask me at yahoo messenger...afandi_mustaffa