English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

not-a-virus:AdWare.Win32.FunWeb.di

Detected Mar 29 2010 03:33 GMT
Released Mar 29 2010 08:22 GMT
Published Oct 15 2010 10:07 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program is part of other malicious adware. It is a Windows Dynamic Link Library (PE DLL file). It is 213 111 bytes in size. It is written in C++.


Payload

The library is one of the components of the toolbar "My Web Search Toolbar". This program is a search toolbar for the Internet Explorer and Mozilla Firefox browsers. The program tracks search queries entered by the user and sends the results as HTTP requests to the following server:

im***rm.com
smil***eator.com
ka***lah.com
my***arch.com
iw***n.com
popul***ensavers.com
curs***nia.com
m***cards.com
zw***ky.com
we**etti.com
smil***raldev.com
fun***roductsdev.com
smi***entral.com
funw***oducts.com
The search toolbar appears as follows:

This library is saved in the system as

%Program Files%\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
and includes functionality for adding a malicious entry to the system registry as well as looking for and downloading updates.

The following registry keys are created:

[HKLM\Software\FunWebProducts\Installer]
"PluginPath" = "%WorkDir%"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]
"(Default)"

[HKLM\Software\MozillaPlugins\@funw***ducts.com/Plugin]
"Description" = "Fun Web Products Plugin"
"Path" = "%WorkDir%\NPFunWeb.dll"
"vendor" = "Fun Web Products"
"version" = "1.1.0.0"

[HKLM\Software\MozillaPlugins\@funw***ducts.com/Plugin\MimeTypes\
application/x-f3-funwebplugin]
"Description" = "Fun Web Products Plugin"
"Suffixes" = "f3p"

[HKCR\FunWebProductsInstaller.Start.1]
"(Default)" = "Fun Web Products Installer Start"

[HKCR\FunWebProductsInstaller.Start.1\CLSID]
"(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}"

[HKCR\FunWebProductsInstaller.Start]
"(Default)" = "Fun Web Products Installer Start"

[HKCR\FunWebProductsInstaller.Start\CLSID]
"(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}"

[HKCR\FunWebProductsInstaller.Start\CurVer]
"(Default)" = "FunWebProductsInstaller.Start.1"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]
"(Default)" = "Fun Web Products Installer Start"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\ProgID]
"(Default)" = "FunWebProductsInstaller.Start.1"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\VersionIndependentProgID]
"(Default)" = "FunWebProductsInstaller.Start"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\InprocServer32]
"(Default)" = "<complete path to original malicious file>"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB}"

[HKCR\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0]
"(Default)" = "Installer 1.0 Type Library"

[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\0\win32]
"(Default)" = "<complete path to original malicious file>\1"

[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\HELPDIR]
"(Default)" = "<complete path to original malicious file>\"

[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "If3InstallerStart"

[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\
ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\
ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"

[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "_If3InstallerStartEvents"

[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"

[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"
Updates are downloaded from the following links:
http://dp.smil***ntral.com/download/redir.jhtml?dest=faqs&product=
myfuncards 
http://dp.smil***ntral.com/download/redir.jhtml?dest=privacy&product=
myfuncards
At the time of writing, these links were inactive.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original malicious file (its location will depend on how the program originally penetrated the victim machine).
  2. Change the registry entry for the malicious DLL. To do so, run the system utility "regsvr32.exe" with the parameters:
    <complete path to original malicious file> /u
  3. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

      MD5: 6CE6E0C0B247B335FCC1DB8FB178837C
      SHA1: BA7FA8C5E053ADBA55C0A64D810B7D51B647FB5C


Bookmark and Share
Share
Adware

Adware covers programs designed to display advertisements (usually in the form of banners), redirect search requests to advertising websites, and collect marketing-type data about the user (e.g. which types of websites s/he visits) in order to display customized advertising on the computer.

Other than displaying advertisements and collecting data, these types of program generally do not make their presence in the system known: there will be no signs of the program in the system tray, and no indication in the program menu that files have been installed. Often, Adware programs do not have any uninstall procedures and use technologies which border on virus technology to help the program stealthily penetrate the computer and run unnoticed.


Other versions

Aliases

not-a-virus:AdWare.Win32.FunWeb.di (Kaspersky Lab) is also known as:

  • Adware.FunWeb-4 (ClamAV)
  • W32/Mywebsearch.B.gen!Eldorado (FPROT)
  • Adware.Funweb.23 (DrWeb)
  • Adware.Generic.165443 (BitDef7)
  • Adware.FunWeb!aYxjyzJeunU (VirusBuster)
  • not-a-virus:AdWare.Win32.FunWeb (Ikarus)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Win32.Generic.126E87BB (Rising)
  • Adware.FunWeb!aYxjyzJeunU (VirusBusterBeta)