SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Funweb.A

MEDIUM
VERY LOW
~120 KB
(AdWare.Win32.FunWeb.e Application/FunWeb)

Symptoms

Presence of the following file:

  • %ProgramFiles%\FunWebProducts\Installr\[random-number].bin\F3EZSETP.DLL


Presence of the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts\
  • HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start\
  • HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1\
  • HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\   
  • HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\
  • HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\
  • HKEY_CLASSES_ROOT\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\

Removal instructions:

a) Please let BitDefender disinfect your files.

b) Manualy delete
  • %ProgramFiles%\FunWebProducts\Installr\[random-number].bin\F3EZSETP.DLL

and the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts\
  • HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start\
  • HKEY_CLASSES_ROOT\FunWebProductsInstaller.Start.1\
  • HKEY_CLASSES_ROOT\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\   
  • HKEY_CLASSES_ROOT\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\
  • HKEY_CLASSES_ROOT\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\
  • HKEY_CLASSES_ROOT\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\

Analyzed By

Sorin Ciorceri, virus researcher

Technical Description:

Once executed:
  • drops a file named "F3EZSETP.DLL" in %ProgramFiles%\FunWebProducts\Installr\[random-number].bin
  • registers that file as a Browser Helper Object (BHO).
  • downloads components/updates from internet.