"Funneh" Worm:

Ok, I infected a virtual Windows install with this worm on purpose, to try and see if I could remove it. Here's what happened:

  1. I run the virus
  2. Virus removes Funneh.exe and creates "expiorer.exe" which it then launches, after screwing around with various IE settings related to the location of history and temporary internet files, etc.
  3. "Expiorer.exe" is set to run at startup as "Microsoft Admin Protocal" - this is removed by AIMFix and has been for a long time.
  4. Spyware starts appearing on the machine in record time - 180Solutions, PowerScan, ShopAtHome, IST Service Toolbar, Sidebar, etc.
  5. Internet Explorer starts opening window after window on its own, to various malicious (including a few pages at fightbac.com) websites where more crap is downloaded
  6. I close down AIM and restart it to see what happens
  7. AIM launches, but doesn't appear for several minutes, instead IE starts opening more windows and more spyware installers/downloaders are launched in the background. It appears that AIM is waiting for them to finish before it starts itself.
  8. No messages are sent to anyone on my buddy list at any point during this experiment
  9. I close all the spyware and junk programs in task manager, then run AIMFix to remove expiorer.exe
  10. AIMFix completes without error, removing "expiorer.exe" and registry keys.
  11. Restarted the machine
  12. Several chunks of spyware are still installed, and the downloaders are running at startup again. I close the downloaders and spyware with task manager, remove all the items with HijackThis, and verify that all is now clean
  13. Restart AIM to see what happens. No IMs are sent from my screen name, no virus appears, and no strange processes are launched.

In short, I can find nothing in this virus that isn't able to be removed by AIMFix and by following the spyware removal steps as outlined. I have absolutely no idea why people are being reinfected by this over and over, or why people with clean HijackThis logs are still showing symptoms. The only conclusions I can draw are that whatever virus I am downloading from http://fightbac.com/files/Funneh.exe, it is not the same as what other people are experiencing, because I was able to remove it by following the usual methods and using AIMFix.

-Jay