Feedback request

I had to deal with what started out as a case of MS Funner a
few days ago, and
wondered if anyone has heard of this before.
Or maybe it's a recognised anti malware technique I wasn't
aware of before.

The system would show the logon dialogue panel, then launch
scandisk in normal and safe modes, then freeze.
A 'screensaver' had been downloaded a few days previously by
the children of the client.
A few web searches led me to conclude the symptoms might be
the Funner virus, which gave me something to go with.

It was on a WinME laptop which meant I was able to boot-disc
into DOS, and sure enough, found and
was able to edit the changed sys.ini file as advised by
Symantec's site.
I could then boot into safe mode, and found the bogus
iexplore and explorer files, but couldn't delete them
permanently.

I ran Trend Sysclean, AVG, CWShredder, About Buster
Ad Aware SE, Spybot S&D, Spywareblaster and HiJack This,
checked all the usual Run and Control Set Regkeys, but I
couldn't find the
buddy files that were recreating the bogus files and
modifying sys.ini. on rebooting.

In a flash of inspiration/desperation/stupidity, while
boot-disking yet again, editing and deleting the bogus
files in DOS for the 3rd time, I cut Rundll32.exe from the
System folder and pasted it on the disc.
One of the few DOS commands I still remember.
If it wouldn't even boot, I could replace it easily.

Once again in safe mode (which is visual torture on a laptop
lemme tell ya ) this time when I ran the toolkit, viruses,
browser hijackers and trojans
were detected like they were going out of business. Which
they were.
It was as if they'd been unmasked.
Apart from Funner there were Trojans Reaper, Dropper,
Backdoor, Winnuke32,
Haktek, Netnobios are a few of the types I can remember that
were ID'd.

The only ill effect I noticed was I couldn't get My Computer
or Control Panel to respond, but all the
previously mentioned programs seemed to scan correctly, and
desktop shortcuts worked.
When all the scans were completed, I pasted Rundll32 back,
restarted in safe Mode and ran them all again.
Nothing was found and everything looked to be working as
expected.
I also fixed the Hosts file and ran LSP fix for luck.

I rebooted and Windows started normally. Ran AVG, Ad Aware,
Spybot and Hi Jack This for luck. No problems found.
Went online and IE was working properly gain.
Lastly I re-enabled System Restore and deleted my 'security
tools' folder

With all that scanning it took about 14 hours, but if
whatever was
using Rundll32.exe hadn't been disabled by its absence,
I have a feeling I'd be there still.

Chek


--
Change' boos' to 'bos' in address to email directly