Hello Everyone,

I (with the help of Matty) have created a removal tool to clean infections by the MSN Funmaker Virus (Currently I've named it Herustic.AdwareDropper.A).  The tool will end the processes known to start by the virus and delete the files associated with the virus. The virus is NOT yet detected by Symantec (Norton) or McAfee.  Detection from other vendors is unknown.

Removal Tool: Download Now
Important Notice:  I have confirmed that SOME VERSIONS of McAfee AntiVirus are currently reporting my removal tool as a virus.  Please update to the latest DAT/definition file to fix this problem.  I can assure you 100% that my file is not a virus, and has passed the Symantec Norton AntiVirus Web Scanner as well as Norton AntiVirus 2005.  , McAfees latest update fixes the problem and will prove it .

Update 1.0.04 (Current Version):
-Tool is now redesigned for a smaller file size and better look.
-Tool now has lots of increased stability in many areas
-KNOWN ISSUE: McAfee Products detect my tool as a virus.

Update 1.00.03:
-Removal tool will now output a removal log of what actions it did exactly. (Excluding Killprocesses, it will not report if it killed any processes)
-Removal tool will inform you whether or not you had the virus when you press the start button.  There is a known delay, this is due to the "Kill Process" of any of the possible infections.

Version 1.0.02:
-Removed the "MSN Butterfly New" logo due to disputes about it; The program now has a PLAIN QUESTIONMARK.

Version 1.0.01:
-Removes files not removed by original tool (Cookies Files)
-Limitation: Cannot remove the files in C:\WINDOWS\SYSTEM32\PREFETCH\, Although these shouldnt pose a risk unless you execute them.

Version 1.0.00:
-Removes infections from the AdwareDropper.A
-First Release

What are the process...

"Systray.exe", and in some cases, "MediaAccess.exe" and "MediaAccK.exe".  It shuts them down, waits 4 seconds to ensure they are all shut down, then deletes the files and then deletes the startup entries.

kk, thanks

Are you sure any isn;t called aircity.exe?

To be honest, Im not 100% sure.  The virus actually "mutated", so to speak, tonight as I was making the removal tool.  Same executeable performed different actions tonight than it did lastnight during the tests.  If you want to send a copy of aircity.exe to me, I can analyze that for you.

sistray or systray??

Systray.exe

PS:
The next release should be like right away, some more files have been been added to the removal...Thanks to me. AHAHA

The tool has been updated now to remove files that Cookie originally reported.

nice work Dane! this should be posted on mess.be, along with all the other fixes that other forum members have made

Thanks,
I have a FAR better tool coming out this afternoon if I can fix this one bug, and it probably will appear on Mess.be, Im sure you can guess what it is, Web based and My Website, Msgpluszone .  Btw, it will detect this virus .

quote:

---

Originally posted by Dane
"Systray.exe", and in some cases, "MediaAccess.exe" and "MediaAccK.exe".  It shuts them down, waits 4 seconds to ensure they are all shut down, then deletes the files and then deletes the startup entries.

---

quote:

---

Originally posted by http://www.liutilities.com/products/wintaskspro/processlibrary/systray/

systray - systray.exe - Process Information

Process File: systray or systray.exe
Process Name: Microsoft System Tray Services

Description:
systray.exe is a background process which displays information such as date and time. This program is important for the stable and secure running of your computer and should not be terminated.

---

Yes, im 100% sure.  It was in the wrong location and wasnt signed by Microsoft .  In fact, running it reinstalled the virus .

Systray.exe is only needed for Win 2K or below, so if it's on Windows XP, then it's gotta be a virus >_>

Anyway, nice job with the removal tool Maybe you could add something that detects if the person has the virus, and if not, instead of saying "The Virus has been successfully removed from your computer", it could say something like "The virus was not found on your system." Not a big deal, but I think it would be a little better

Due to the many different installtypes, I cant detect any one way.

Update 1.00.02:
-Removed "Msn Butterfly" logo due to disputes about it; This release now has a PLAIN QUESTIONMARK!

quote:

---

Originally posted by Dane
-Removed "Msn Butterfly" logo due to disputes about it; This release now has a PLAIN QUESTIONMARK!

---

Could you please make it display a report when it’s done taking the virus out.

I ran it just to make sure I didn’t have the virus and it said the H.AdwareDropper.A has successfully been removed. Now I don't now if I had it or not. If you could show the files and changes it removed after the scan is done it would be better.

Ive ran the removal tool and it is still there.

"Wsup.exe" and "WToolsA.exe",  have been running since i got the virus.

Ive had "MediaAccK.exe" and "MediaAccess.exe" processes running on all my computers for ages without receiving this virus...

edit: I keep getting messages from my firewalls and virus scanners saying that access to the file toolbar[numbhere].exe has been blocked.

Could this be part of the virus?

Hello,

I will release an update to the tool tommorow with more advanced information and clearer messages about what actions the tool performed.  I will also do research on bal's comment.

Thank you.

Update: bal, can you please run your suspicious files through Link Removed - Product Still in Beta, which currently only detects this worm.  I can analyze it then.

Its  a hack tool right?
but its at the picturecentre site how did they do that?

It's not a hack tool. It claims to be it, but it's just a trick to make you download and install it and give it to your friends so they all get infected by the virusses and the adware so the creators earns money with all the ads you see etc.
(Correct me if I'm wrong)

As Promised, here is the update you requested.

Update 1.00.03:
-Removal tool will now output a removal log of what actions it did exactly. (Excluding Killprocesses, it will not report if it killed any processes)
-Removal tool will inform you whether or not you had the virus when you press the start button.  There is a known delay, this is due to the "Kill Process" of any of the possible infections.

I should also note that I did not recieve a sample from Bal, so I have excluded removal of those executeables from the tool, for right now.

quote:

---

Originally posted by Markus
It's not a hack tool. It claims to be it, but it's just a trick to make you download and install it and give it to your friends so they all get infected by the virusses and the adware so the creators earns money with all the ads you see etc.
(Correct me if I'm wrong)

---

So you're trying to say that there's a real MSN Fun Maker and a fake MSN fun maker...?

MSNFunMaker is a trojan (backdoor program) which must be sent to your contacts.

When the "fun"-tool is executed by your contact he will get an error message and will log out and back in automatically. Thinking something went wrong, the victim don't further mind the program, but in reality MSNFunMaker is running like it "should" and now you can control the victims MSN (and more) without the victim knowing about it.

MSNFunMaker also install other dodgy stuff on the victims PC. And it spreads itself by advertising links in each conversation of your victim (and we all know what happens when links are posted; they get clicked)...

Yes.  I believe Cookie, however, Network Associates McAfee AVERT doesnt.

quote:

---

Originally posted by McAfee AVERT

We feel that this program shall remain in our Potentially Unwanted Programs (PUP) list.  It doesnt appear to display any characteristics of Viruses or Trojans, as you suggest.

---

Nice update. Thanks

Well, after being told my design was VERY ugly by several people , I redesigned it.  I also noticed SEVERAL small bugs but they were big enough that they could cause problems with the workability of the tool, and they have been repaired for increased stability.

Update 1.0.04:
-Tool is now redesigned for a smaller file size and better look.
-Tool now has lots of increased stability in many areas

as soon as i downloaded it, McAfee said that it's a virus and it was deleted, can you make it stop that?

You should email them and ask why they report it as a virus... Do they think that their better or soemthing?

Hello,

I just wanted to update you that the tool is NO LONGER detected as a virus when using the latest McAfee DAT (issued today and onward).

Thanks,
Dane Smith

Nice work Dane, you use C++ to make it?

it worked, nortan deteced it

quote:

---

Originally posted by DJeX
Nice work Dane, you use C++ to make it?

---

quote:

---

Originally posted by steven5678
it worked, nortan deteced it

---

Important Message: It has been noted that on or after April 2nd, 2005, The virus will stop working, but wont remove itself.  That effectively ends the development of this tool, Thanks for using it though.

That's not true, the virus worked yesterday for me and a lot of people but thanks for the tool, without it, I would have never been able to uninstall it